APD/GBA (Belgium) - 141-2023: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 30: Line 30:
|GDPR_Article_1=Article 77 GDPR
|GDPR_Article_1=Article 77 GDPR
|GDPR_Article_Link_1=Article 77 GDPR
|GDPR_Article_Link_1=Article 77 GDPR
|GDPR_Article_2=
|GDPR_Article_2=Article 12(3) GDPR
|GDPR_Article_Link_2=
|GDPR_Article_Link_2=Article 12 GDPR#3
|GDPR_Article_3=
|GDPR_Article_3=Article 12(4) GDPR
|GDPR_Article_Link_3=
|GDPR_Article_Link_3=Article 12 GDPR#4
|GDPR_Article_4=Article 5(2) GDPR
|GDPR_Article_Link_4=Article 5 GDPR#2


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 61: Line 63:
}}
}}


The Belgian DPA dismissed a complaint brought by the data subject regarding the unlawful disclosure of their personal data by the communications officer of a political party. The DPA decided not to investigate the matter given the lack of substantial evidence and the significant resources the complaint would entail.
The Belgian DPA dismissed a complaint regarding the unlawful disclosure of the data subject's personal data by the communications officer of a political party. Counter to the recent CJEU judgement of [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|Joined Cases C‑26/22 and C‑64/22 - SCHUFA]], the DPA decided not to investigate the matter given the lack of "high personal impact".


== English Summary ==
== English Summary ==
Line 84: Line 86:
The Belgian DPA's criteria for "high personal impact" are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under [[Article 35 GDPR]]. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person).
The Belgian DPA's criteria for "high personal impact" are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under [[Article 35 GDPR]]. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person).


This decision by the Belgian DPA to assess whether to decide a case or not on the basis of a 'high personal impact' is seemingly contrary to [[Article 77 GDPR#1|Article 77(1) GDPR]], which gives a data subject the right to lodge a complaint with a supervisory authority. As recently clarified in the Joined [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|Cases C‑26/22 and C‑64/22 - SCHUFA]], [[Article 77 GDPR]] is designed as a mechanism to effectively safeguard the rights and interests of data subjects, and under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], each DPA is required to handle complaints lodged on the basis of [[Article 77 GDPR#1|Article 77(1) GDPR]] with all due diligence and is mandated to react appropriately to remedy GDPR violations.
This decision by the Belgian DPA to assess whether to decide a case or not on the basis of a 'high personal impact' is seemingly contrary to [[Article 77 GDPR#1|Article 77(1) GDPR]], which gives a data subject the right to lodge a complaint with a supervisory authority. As recently clarified in the [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|Joined Cases C‑26/22 and C‑64/22 - SCHUFA]], [[Article 77 GDPR]] is designed as a mechanism to effectively safeguard the rights and interests of data subjects, and under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], each DPA is required to handle complaints lodged on the basis of [[Article 77 GDPR#1|Article 77(1) GDPR]] with all due diligence and is mandated to react appropriately to remedy GDPR violations.


== Further Resources ==
== Further Resources ==

Latest revision as of 13:27, 20 December 2023

APD/GBA - 141-2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 77 GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 5(2) GDPR
Article 95 Loi du 3 décembre 2017 portant création de l'Autorité de protection des données (LCA).
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 141-2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD (in FR)
Initial Contributor: n/a

The Belgian DPA dismissed a complaint regarding the unlawful disclosure of the data subject's personal data by the communications officer of a political party. Counter to the recent CJEU judgement of Joined Cases C‑26/22 and C‑64/22 - SCHUFA, the DPA decided not to investigate the matter given the lack of "high personal impact".

English Summary

Facts

The data subject was a member of a political party. On 10 March 2023, the data subject contacted the political party's data protection officer (DPO), claiming that their personal data was illegally disclosed to other members by the party's communication officer. The data subject objected to the disclosure and requested information on the measures which would be taken to address the disclosure.

On 03 April 2023, the political party's DPO replied, claiming that the data was processed in accordance with internal rules and that there had been no disclosure of the data subject's personal data.

On 11 April 2023, the data subject announced their dissatisfaction with the decision. After further communications with the party, on 6 June 2023, the data subject first filed a request for mediation to the APD, which was unsuccessful. Thus, on 18 August 2023, the data subject converted their request for mediation into a complaint as permitted by Article 62, §2 of the Loi du 3 Décembre 2017 portant création de l'Autorité de protection des données (LCA).

Holding

The Belgian DPA rejected the complaint under Article 95, § 1, 3° of the LCA and justified its decision as follows.

Firstly, the DPA found that the data subject's claim of a GDPR breach was not sufficiently proven. During the mediation and proceedings, the data subject claimed that the unlawful disclosure of their personal data was supported by testimonies of several persons and police complaints, but no proof was presented.

Secondly, the data subject also expressed dissatisfaction with the answers given by the DPO. Nonetheless, the Belgian DPA noted that the DPO always provided a reply to the data subject within the time limit imposed by Article 12(3) GDPR and Article 12(4) GDPR.

Therefore, the DPA concluded that the grievance raised by the data subject did not correspond to the criteria of high general or personal impact. After weighing the personal impact of the circumstances of the complaint, given the lack of substantial evidence and the significant resources this complaint would entail, the DPA decided not to investigate the matter further. Although, the DPA reminded that any data controller must be able to demonstrate the conformity of its processing with the GDPR under Article 5(2) GDPR.

Comment

The Belgian DPA's criteria for "high personal impact" are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under Article 35 GDPR. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person).

This decision by the Belgian DPA to assess whether to decide a case or not on the basis of a 'high personal impact' is seemingly contrary to Article 77(1) GDPR, which gives a data subject the right to lodge a complaint with a supervisory authority. As recently clarified in the Joined Cases C‑26/22 and C‑64/22 - SCHUFA, Article 77 GDPR is designed as a mechanism to effectively safeguard the rights and interests of data subjects, and under Article 57(1)(f) GDPR, each DPA is required to handle complaints lodged on the basis of Article 77(1) GDPR with all due diligence and is mandated to react appropriately to remedy GDPR violations.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/7




                                                                         ChamberLitigation


                                                      Decision 141/2023 of October 16, 2023



File number: DOS-2023-02498


Subject: Complaint relating to the disclosure of personal data by the party

Belgian politics “..”



The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke

Hijmans, president, sitting alone;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of natural persons with regard to the processing of personal data and

to the free movement of these data, and repealing Directive 95/46/EC (general regulation on the

data protection), (hereinafter “GDPR”);

Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter

“LCA”);


Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to

processing of personal data (hereinafter “LTD”);

Considering the Internal Regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;

Considering the documents in the file;



Has taken the following decision regarding:



The complainant: X, hereinafter “the complainant”;


The defendant: Y, hereinafter “the defendant”. Decision 141/2023 - 2/7




I. Facts and procedure


 1. On August 18, 2023, the complainant filed a complaint with the Data Protection Authority.
       data (hereinafter “the APD”) against the defendant, the local section of the political party “Y”

       of Braine-l’Alleud (hereinafter “the political party”).


 2. The subject of the complaint concerns the unlawful processing of personal data,

       these would have been used illicitly and disclosed to other members of the party

       policy by Mrs. Z1, the communications manager of the defendant, in order to
       damage its reputation.


 3. On March 10, 2023, the complainant contacted Z2, the party's data protection officer

       policy (hereinafter the “DPO”). She alleges that her personal data, appearing

       in a “listing” of members of the local section of Braine-l’Alleud, would have been
       disclosed. The complainant identifies Madame Z1, the communications manager of the

       defendant, as the alleged perpetrator of the offense. It is based on several

       evidence, in particular an anonymous testimony certificate dated March 4

       2022, which claims that Madame Z1 would have made negative comments about her in private in front of

       the witness and several of her colleagues, while asking them to remove her from their list
       friends on Facebook; and a police complaint filed on October 7, 2022. Other evidence

       would be available, but they must be requested by the DPO.


 4. On March 14, 2023, the DPO acknowledges receipt of the complainant’s email and undertakes to

       undertake the necessary checks.

 5. On April 3, 2023, the complainant sent a reminder to the DPO concerning her email of March 10

       2023, and she expresses her opposition to the illicit use of her data. She asks for

       information on the measures that will be taken to prevent the unlawful processing of its

       data. The same day, the DPO shared the results of his checks and indicated that the

       internal rules were well respected in that the President of the local section of the party
       policy, namely Mr. Z3 in this case, responsible and guarantor of the confidentiality of

       personal data of members of the section within the meaning of article 21, §3 of the

       statutes of the local sections of the political party, would have confirmed to him that, on the one hand, he

       would keep the “listing” of the members of the section in a secure manner and that, on the other hand,

       On the other hand, he would not have entrusted the file in question to another member of the said section.

 6. On April 11, 2023, the complainant expressed her dissatisfaction with the response received and

       expresses concerns about the misuse of his personal data by

       The political party. The complainant bases her assertions on several elements and facts that she

       listed in his email. Decision 141/2023 - 3/7




 7. On June 8, 2023, the complainant filed a request for mediation with the APD against the

       defendant within the meaning of article 22, §1, 2° of the LCA.

 8. On July 3, 2023, the Front Line Service (hereinafter “SPL”) declares the request in

       admissible mediation. On the same date, the SPL contacts the DPO to initiate the

       mediation procedure with the complainant and ask her to respond to the email of April 11

       2023, in which she expressed her concerns about the need to take
       measures to avoid abusive processing of personal data. Furthermore, she

       requested that the recipients of his personal data be informed of

       the misuse of personal data of members of the political party of Braine-

       L’Alleud.

 9. On July 19, 2023, the DPO reiterated that Madame Z1 did not have access to the “listing” of members of the

       political party. In addition, the DPO mentions having reiterated his request to the President of

       the local section of the political party, Mr. Z3, who formally confirmed that he was the only

       responsible for the use of the file of members of its Braine-l’Alleud section. The DPO

       understands the complainant's suspicions, but specifies that they are unfounded. According to

       DPO, the personal data would have been communicated or used outside the
       strict functioning of the party.


 10. On August 1, 2023, the complainant responded to the DPO indicating that she had an interview with the

       president of the Braine-l’Alleud section of the political party on July 28, 2023. She specifies

       that the latter will provide him with answers to questions relating to the use of his
       personal data by mid-August. On this same date, the SPL informed the

       complainant that he received a response from the defendant dated July 19, 2023; and estimates

       that the mediation led to a positive result.


 11. On August 18, 2023, the complainant transformed her request for mediation into a complaint as
       This is permitted by article 62, §2, paragraph 4, 1° of the LCA.


 12. On August 25, 2023, the SPL informed the defendant that the request for mediation had been

       transformed into a complaint by the complainant.


 13. On August 28, 2023, the SPL of the APD declared the complaint admissible on the basis of articles 58 and
       60 of the LCA, and transmits it to the Litigation Chamber in accordance with article 62,

       § 1 of the LCA.



II. Motivation


 14. Pursuant to article 4, §1 of the LCA, the APD is responsible for monitoring the principles of
       data protection contained in the GDPR and other laws containing provisions

       relating to the protection of the processing of personal data. Decision 141/2023 - 4/7




 15. Pursuant to article 33, §1 of the LCA, the Litigation Chamber is the organ of the

       administrative litigation of the APD. It receives complaints that the SPL sends to it in


       application of article 62, §1 of the LCA, or admissible complaints. In accordance with article

       60 paragraph 2 of the LCA, complaints are admissible if they are drawn up in one of the

       national languages, contain a statement of the facts and the necessary information

       to identify the processing of personal data to which they relate and which

       fall under the jurisdiction of the ODA.


 16. Based on the facts described in the complaint file as summarized above, and on

       basis of the powers assigned to it by the legislator under article 95,

       § 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; in

       occurrence, the Litigation Chamber decides to proceed with the classification without further action.


       the complaint, in accordance with article 95, § 1, 3° of the LCA, for the reasons set out below

       After.


 17. In matters of dismissal, the Litigation Chamber is required to provide reasons for its decision.
                           1
       decision by step and to:

             - pronounce a classification without technical follow-up if the file does not contain or not


                 sufficient evidence likely to lead to a sanction or if it includes a

                 technical obstacle preventing it from rendering a decision;


             - or pronounce a classification without further opportunity, if despite the presence

                 of elements likely to lead to a sanction, the continuation of the examination of the

                 file does not seem appropriate given the priorities of the Authority of

                 data protection as specified and illustrated in the Privacy Policy

                 classification without further action by the Litigation Chamber. 2


 18. In the event of dismissal based on several grounds for dismissal, these


       last (respectively, classification without technical follow-up and classification without follow-up
                                                                       3
       opportunity) must be treated in order of importance.


 19. In this case, the Litigation Chamber decides to proceed with a classification without further action

       the complaint for these two reasons. The decision of the Litigation Chamber rests more

       precisely on two reasons why it considers it inappropriate to

       continue monitoring the file, and therefore decides not to proceed, among other things, to

       an examination of the merits of the case.




1Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18.
2In this regard, the Litigation Chamber refers to its classification policy as developed and published on the Authority’s website
data protection: https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-
litigation.pdf.
3Data protection authority, “Disclosure policy of the Litigation Chamber: 3. – In what cases is my complaint
Is it likely to be closed without further action by the Litigation Chamber? », June 18, 2021, available on
https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf. Decision 141/2023 - 5/7




 20. The Litigation Chamber notes that the complainant denounces the unlawful processing of her

       personal data.


 21. Firstly, the Litigation Chamber finds that the complaint is not sufficiently

       supported by evidence of the existence of a violation of the GDPR or protective laws

       personal data (criteria A. 1 of said policy). Consequently, the Chamber

       Litigation decides to dismiss the complaint for technical reasons.


 22. Despite the allegations that the plaintiff makes against the defendant concerning

       the alleged disclosure of his personal data to other party members

       political, the Litigation Chamber notes that no proof of this meaning appears in the

       file. The complainant, in fact, claims to have received testimonies from people

       who would have obtained illicit access to their personal data, but does not provide any

       nevertheless no trace.


 23. In addition, the complainant relies on the existence of a precedent under which the

       communications manager of the defendant was sanctioned by a former

       employer. However, this sanction cannot lead the Litigation Chamber to

       determination of the existence of a violation of the GDPR or data protection laws

       personal for the facts in this case.

 24. Furthermore, the complainant states that the president of the Braine-l’Alleud local section of


       political party would have confirmed the position of the communications manager of the

       defendant, presumed author of the offense, and as such refers us to an exchange

       informal non-time-stamped between her and him. However, nothing of the sort appears when reading this

       part of the file.

 25. Finally, the complainant expresses her dissatisfaction with the answers given by the DPO of the

       defendant, however, it turns out that he always responded within the time limit given to him


       imposed by Articles 12.3 and 12.4 of the GDPR (see points 5, 8 and 9).

 26. Secondly, and without prejudice to the above, the Litigation Chamber proceeds to

       classification without follow-up for reasons of expediency (criteria B.2 and B.5 of the said policy). 4


 27. On the one hand, the Litigation Chamber notes that the grievance raised by the complainant does not

       does not meet the high general or personal impact criteria, as defined by ODA

       in its note on the no action classification policy of June 18, 2021.


 28. On the other hand, if the criteria of high general or personal impact do not apply, the

       Litigation Chamber weighs the personal impact of the circumstances of the complaint




4A dismissal for reasons of expediency does not mean that the Litigation Chamber legally notes that no
violation has occurred, but the resources required to substantiate the complaint are potentially excessive. ; Protection Authority
data, “Political classification without further action of the Litigation Chamber”, June 18, 2021, available on
https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf Decision 141/2023 - 6/7




       for the rights and fundamental freedoms of the complainant, and the efficiency of her intervention,

       to decide whether it considers it appropriate to deal with the complaint in depth.


       In this case, the Litigation Chamber notes that there are legal proceedings underway

       which includes the grievances made in the complaint filed by the complainant with the police on

       October 7, 2022. However, the Litigation Chamber recalls that it assesses the efficiency

       of its intervention as well as the means necessary to handle the complaint in a manner

       in-depth. In this context, given the absence of substantial evidence (see points

       21 to 25) and the significant resources that this would imply, the Litigation Chamber


       concludes that it would not be appropriate to launch an investigation through the Inspection Service

       to corroborate the complainant's allegations, nor to make decisions parallel to a

       ongoing legal proceedings. Consequently, the Litigation Chamber decides not to

       carry out an examination of the merits of the case.


 29. In conclusion, the Litigation Chamber decides to proceed with the classification without further action.

       the complainant's complaint, both for technical reasons and for reasons of expediency.

 30. For information purposes, and without this constituting any corrective measure


       or sanction within the meaning of article 95, §1 of the LCA, the Litigation Chamber recalls

       nevertheless, any data controller must be able to demonstrate the

       compliance of its processing with the GDPR, and throughout, by virtue of

       Article 5.2 of the GDPR.



III. Publication and communication of the decision


 31. Given the importance of transparency regarding the process


       decision-making and the decisions of the Litigation Chamber, this decision will be published on the

       website of the Data Protection Authority. However, it is not necessary for this

       so that the identification data of the parties are directly communicated.

 32. In accordance with its policy of dismissal, the Litigation Chamber

                                                       5
       will communicate the decision to the defendant(s). Indeed, the Litigation Chamber decided

       to communicate the decisions of dismissal to the defendants by default. There

       Chambre Litigation, however, refrains from such communication when the complainant

       requested anonymity with regard to the defendant(s) and when the communication of the

       decision to the defendant(s), even pseudonymised, nevertheless risks allowing its re-

       identification . This is not the case in the present case.




5
 Data Protection Authority, “Disclosure policy of the Litigation Chamber: 5. – Filing without action will be-
Did he publish? Will the opposing party be informed? », June 18, 2021, available on
6ttps://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf.
 Ibid. Decision 141/2023 - 7/7









    FOR THESE REASONS,


    the Litigation Chamber of the Data Protection Authority decides, after deliberation,

    to dismiss this complaint in accordance with article 95, § 1, 3° of the LCA.






In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days from its notification, to the Court of Markets (court

of Appeal of Brussels), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory request must be

                                                                                                                   8
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).


To enable it to consider any other possible course of action, the Litigation Chamber refers

the complainant to the explanations provided in its policy of dismissal. 9


The Litigation Chamber emphasizes that the classifications without further action are likely

to be taken into account by the Data Protection Authority in order to set its future priorities

and/or could inspire future initiative investigations by the Inspection Service of the Authority of


Data protection.








(sé). Hielke HIJMANS


President of the Litigation Chamber













7The request contains barely any nullity:

 1° indication of the day, month and year;
 2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or number
     business;
 3° the surname, first name, address and, where applicable, the status of the person to be summoned;
 4° the object and summary of the grounds of the request;
 5° indication of the judge who is seized of the request;
 6° the signature of the applicant or his lawyer.
8The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to
clerk of the court or filed with the registry.
9Data protection authority, “Disclosure policy of the Litigation Chamber: 4. – What can I do if my complaint
estclasséesanssuite?”, June 18, 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-
suite-of-the-contentious-chamber.pdf.