APD/GBA (Belgium) - 141-2023: Difference between revisions
No edit summary |
No edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 30: | Line 30: | ||
|GDPR_Article_1=Article 77 GDPR | |GDPR_Article_1=Article 77 GDPR | ||
|GDPR_Article_Link_1=Article 77 GDPR | |GDPR_Article_Link_1=Article 77 GDPR | ||
|GDPR_Article_2= | |GDPR_Article_2=Article 12(3) GDPR | ||
|GDPR_Article_Link_2= | |GDPR_Article_Link_2=Article 12 GDPR#3 | ||
|GDPR_Article_3= | |GDPR_Article_3=Article 12(4) GDPR | ||
|GDPR_Article_Link_3= | |GDPR_Article_Link_3=Article 12 GDPR#4 | ||
|GDPR_Article_4=Article 5(2) GDPR | |||
|GDPR_Article_Link_4=Article 5 GDPR#2 | |||
|EU_Law_Name_1= | |EU_Law_Name_1= | ||
Line 61: | Line 63: | ||
}} | }} | ||
The Belgian DPA dismissed a complaint | The Belgian DPA dismissed a complaint regarding the unlawful disclosure of the data subject's personal data by the communications officer of a political party. Counter to the recent CJEU judgement of [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|Joined Cases C‑26/22 and C‑64/22 - SCHUFA]], the DPA decided not to investigate the matter given the lack of "high personal impact". | ||
== English Summary == | == English Summary == | ||
Line 84: | Line 86: | ||
The Belgian DPA's criteria for "high personal impact" are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under [[Article 35 GDPR]]. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person). | The Belgian DPA's criteria for "high personal impact" are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under [[Article 35 GDPR]]. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person). | ||
This decision by the Belgian DPA to assess whether to decide a case or not on the basis of a 'high personal impact' is seemingly contrary to [[Article 77 GDPR#1|Article 77(1) GDPR]], which gives a data subject the right to lodge a complaint with a supervisory authority. As recently clarified in the | This decision by the Belgian DPA to assess whether to decide a case or not on the basis of a 'high personal impact' is seemingly contrary to [[Article 77 GDPR#1|Article 77(1) GDPR]], which gives a data subject the right to lodge a complaint with a supervisory authority. As recently clarified in the [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|Joined Cases C‑26/22 and C‑64/22 - SCHUFA]], [[Article 77 GDPR]] is designed as a mechanism to effectively safeguard the rights and interests of data subjects, and under [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]], each DPA is required to handle complaints lodged on the basis of [[Article 77 GDPR#1|Article 77(1) GDPR]] with all due diligence and is mandated to react appropriately to remedy GDPR violations. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 13:27, 20 December 2023
APD/GBA - 141-2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 77 GDPR Article 12(3) GDPR Article 12(4) GDPR Article 5(2) GDPR Article 95 Loi du 3 décembre 2017 portant création de l'Autorité de protection des données (LCA). |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 141-2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | APD (in FR) |
Initial Contributor: | n/a |
The Belgian DPA dismissed a complaint regarding the unlawful disclosure of the data subject's personal data by the communications officer of a political party. Counter to the recent CJEU judgement of Joined Cases C‑26/22 and C‑64/22 - SCHUFA, the DPA decided not to investigate the matter given the lack of "high personal impact".
English Summary
Facts
The data subject was a member of a political party. On 10 March 2023, the data subject contacted the political party's data protection officer (DPO), claiming that their personal data was illegally disclosed to other members by the party's communication officer. The data subject objected to the disclosure and requested information on the measures which would be taken to address the disclosure.
On 03 April 2023, the political party's DPO replied, claiming that the data was processed in accordance with internal rules and that there had been no disclosure of the data subject's personal data.
On 11 April 2023, the data subject announced their dissatisfaction with the decision. After further communications with the party, on 6 June 2023, the data subject first filed a request for mediation to the APD, which was unsuccessful. Thus, on 18 August 2023, the data subject converted their request for mediation into a complaint as permitted by Article 62, §2 of the Loi du 3 Décembre 2017 portant création de l'Autorité de protection des données (LCA).
Holding
The Belgian DPA rejected the complaint under Article 95, § 1, 3° of the LCA and justified its decision as follows.
Firstly, the DPA found that the data subject's claim of a GDPR breach was not sufficiently proven. During the mediation and proceedings, the data subject claimed that the unlawful disclosure of their personal data was supported by testimonies of several persons and police complaints, but no proof was presented.
Secondly, the data subject also expressed dissatisfaction with the answers given by the DPO. Nonetheless, the Belgian DPA noted that the DPO always provided a reply to the data subject within the time limit imposed by Article 12(3) GDPR and Article 12(4) GDPR.
Therefore, the DPA concluded that the grievance raised by the data subject did not correspond to the criteria of high general or personal impact. After weighing the personal impact of the circumstances of the complaint, given the lack of substantial evidence and the significant resources this complaint would entail, the DPA decided not to investigate the matter further. Although, the DPA reminded that any data controller must be able to demonstrate the conformity of its processing with the GDPR under Article 5(2) GDPR.
Comment
The Belgian DPA's criteria for "high personal impact" are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under Article 35 GDPR. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person).
This decision by the Belgian DPA to assess whether to decide a case or not on the basis of a 'high personal impact' is seemingly contrary to Article 77(1) GDPR, which gives a data subject the right to lodge a complaint with a supervisory authority. As recently clarified in the Joined Cases C‑26/22 and C‑64/22 - SCHUFA, Article 77 GDPR is designed as a mechanism to effectively safeguard the rights and interests of data subjects, and under Article 57(1)(f) GDPR, each DPA is required to handle complaints lodged on the basis of Article 77(1) GDPR with all due diligence and is mandated to react appropriately to remedy GDPR violations.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/7 ChamberLitigation Decision 141/2023 of October 16, 2023 File number: DOS-2023-02498 Subject: Complaint relating to the disclosure of personal data by the party Belgian politics “..” The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, president, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (general regulation on the data protection), (hereinafter “GDPR”); Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter “LCA”); Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to processing of personal data (hereinafter “LTD”); Considering the Internal Regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has taken the following decision regarding: The complainant: X, hereinafter “the complainant”; The defendant: Y, hereinafter “the defendant”. Decision 141/2023 - 2/7 I. Facts and procedure 1. On August 18, 2023, the complainant filed a complaint with the Data Protection Authority. data (hereinafter “the APD”) against the defendant, the local section of the political party “Y” of Braine-l’Alleud (hereinafter “the political party”). 2. The subject of the complaint concerns the unlawful processing of personal data, these would have been used illicitly and disclosed to other members of the party policy by Mrs. Z1, the communications manager of the defendant, in order to damage its reputation. 3. On March 10, 2023, the complainant contacted Z2, the party's data protection officer policy (hereinafter the “DPO”). She alleges that her personal data, appearing in a “listing” of members of the local section of Braine-l’Alleud, would have been disclosed. The complainant identifies Madame Z1, the communications manager of the defendant, as the alleged perpetrator of the offense. It is based on several evidence, in particular an anonymous testimony certificate dated March 4 2022, which claims that Madame Z1 would have made negative comments about her in private in front of the witness and several of her colleagues, while asking them to remove her from their list friends on Facebook; and a police complaint filed on October 7, 2022. Other evidence would be available, but they must be requested by the DPO. 4. On March 14, 2023, the DPO acknowledges receipt of the complainant’s email and undertakes to undertake the necessary checks. 5. On April 3, 2023, the complainant sent a reminder to the DPO concerning her email of March 10 2023, and she expresses her opposition to the illicit use of her data. She asks for information on the measures that will be taken to prevent the unlawful processing of its data. The same day, the DPO shared the results of his checks and indicated that the internal rules were well respected in that the President of the local section of the party policy, namely Mr. Z3 in this case, responsible and guarantor of the confidentiality of personal data of members of the section within the meaning of article 21, §3 of the statutes of the local sections of the political party, would have confirmed to him that, on the one hand, he would keep the “listing” of the members of the section in a secure manner and that, on the other hand, On the other hand, he would not have entrusted the file in question to another member of the said section. 6. On April 11, 2023, the complainant expressed her dissatisfaction with the response received and expresses concerns about the misuse of his personal data by The political party. The complainant bases her assertions on several elements and facts that she listed in his email. Decision 141/2023 - 3/7 7. On June 8, 2023, the complainant filed a request for mediation with the APD against the defendant within the meaning of article 22, §1, 2° of the LCA. 8. On July 3, 2023, the Front Line Service (hereinafter “SPL”) declares the request in admissible mediation. On the same date, the SPL contacts the DPO to initiate the mediation procedure with the complainant and ask her to respond to the email of April 11 2023, in which she expressed her concerns about the need to take measures to avoid abusive processing of personal data. Furthermore, she requested that the recipients of his personal data be informed of the misuse of personal data of members of the political party of Braine- L’Alleud. 9. On July 19, 2023, the DPO reiterated that Madame Z1 did not have access to the “listing” of members of the political party. In addition, the DPO mentions having reiterated his request to the President of the local section of the political party, Mr. Z3, who formally confirmed that he was the only responsible for the use of the file of members of its Braine-l’Alleud section. The DPO understands the complainant's suspicions, but specifies that they are unfounded. According to DPO, the personal data would have been communicated or used outside the strict functioning of the party. 10. On August 1, 2023, the complainant responded to the DPO indicating that she had an interview with the president of the Braine-l’Alleud section of the political party on July 28, 2023. She specifies that the latter will provide him with answers to questions relating to the use of his personal data by mid-August. On this same date, the SPL informed the complainant that he received a response from the defendant dated July 19, 2023; and estimates that the mediation led to a positive result. 11. On August 18, 2023, the complainant transformed her request for mediation into a complaint as This is permitted by article 62, §2, paragraph 4, 1° of the LCA. 12. On August 25, 2023, the SPL informed the defendant that the request for mediation had been transformed into a complaint by the complainant. 13. On August 28, 2023, the SPL of the APD declared the complaint admissible on the basis of articles 58 and 60 of the LCA, and transmits it to the Litigation Chamber in accordance with article 62, § 1 of the LCA. II. Motivation 14. Pursuant to article 4, §1 of the LCA, the APD is responsible for monitoring the principles of data protection contained in the GDPR and other laws containing provisions relating to the protection of the processing of personal data. Decision 141/2023 - 4/7 15. Pursuant to article 33, §1 of the LCA, the Litigation Chamber is the organ of the administrative litigation of the APD. It receives complaints that the SPL sends to it in application of article 62, §1 of the LCA, or admissible complaints. In accordance with article 60 paragraph 2 of the LCA, complaints are admissible if they are drawn up in one of the national languages, contain a statement of the facts and the necessary information to identify the processing of personal data to which they relate and which fall under the jurisdiction of the ODA. 16. Based on the facts described in the complaint file as summarized above, and on basis of the powers assigned to it by the legislator under article 95, § 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; in occurrence, the Litigation Chamber decides to proceed with the classification without further action. the complaint, in accordance with article 95, § 1, 3° of the LCA, for the reasons set out below After. 17. In matters of dismissal, the Litigation Chamber is required to provide reasons for its decision. 1 decision by step and to: - pronounce a classification without technical follow-up if the file does not contain or not sufficient evidence likely to lead to a sanction or if it includes a technical obstacle preventing it from rendering a decision; - or pronounce a classification without further opportunity, if despite the presence of elements likely to lead to a sanction, the continuation of the examination of the file does not seem appropriate given the priorities of the Authority of data protection as specified and illustrated in the Privacy Policy classification without further action by the Litigation Chamber. 2 18. In the event of dismissal based on several grounds for dismissal, these last (respectively, classification without technical follow-up and classification without follow-up 3 opportunity) must be treated in order of importance. 19. In this case, the Litigation Chamber decides to proceed with a classification without further action the complaint for these two reasons. The decision of the Litigation Chamber rests more precisely on two reasons why it considers it inappropriate to continue monitoring the file, and therefore decides not to proceed, among other things, to an examination of the merits of the case. 1Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18. 2In this regard, the Litigation Chamber refers to its classification policy as developed and published on the Authority’s website data protection: https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre- litigation.pdf. 3Data protection authority, “Disclosure policy of the Litigation Chamber: 3. – In what cases is my complaint Is it likely to be closed without further action by the Litigation Chamber? », June 18, 2021, available on https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf. Decision 141/2023 - 5/7 20. The Litigation Chamber notes that the complainant denounces the unlawful processing of her personal data. 21. Firstly, the Litigation Chamber finds that the complaint is not sufficiently supported by evidence of the existence of a violation of the GDPR or protective laws personal data (criteria A. 1 of said policy). Consequently, the Chamber Litigation decides to dismiss the complaint for technical reasons. 22. Despite the allegations that the plaintiff makes against the defendant concerning the alleged disclosure of his personal data to other party members political, the Litigation Chamber notes that no proof of this meaning appears in the file. The complainant, in fact, claims to have received testimonies from people who would have obtained illicit access to their personal data, but does not provide any nevertheless no trace. 23. In addition, the complainant relies on the existence of a precedent under which the communications manager of the defendant was sanctioned by a former employer. However, this sanction cannot lead the Litigation Chamber to determination of the existence of a violation of the GDPR or data protection laws personal for the facts in this case. 24. Furthermore, the complainant states that the president of the Braine-l’Alleud local section of political party would have confirmed the position of the communications manager of the defendant, presumed author of the offense, and as such refers us to an exchange informal non-time-stamped between her and him. However, nothing of the sort appears when reading this part of the file. 25. Finally, the complainant expresses her dissatisfaction with the answers given by the DPO of the defendant, however, it turns out that he always responded within the time limit given to him imposed by Articles 12.3 and 12.4 of the GDPR (see points 5, 8 and 9). 26. Secondly, and without prejudice to the above, the Litigation Chamber proceeds to classification without follow-up for reasons of expediency (criteria B.2 and B.5 of the said policy). 4 27. On the one hand, the Litigation Chamber notes that the grievance raised by the complainant does not does not meet the high general or personal impact criteria, as defined by ODA in its note on the no action classification policy of June 18, 2021. 28. On the other hand, if the criteria of high general or personal impact do not apply, the Litigation Chamber weighs the personal impact of the circumstances of the complaint 4A dismissal for reasons of expediency does not mean that the Litigation Chamber legally notes that no violation has occurred, but the resources required to substantiate the complaint are potentially excessive. ; Protection Authority data, “Political classification without further action of the Litigation Chamber”, June 18, 2021, available on https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf Decision 141/2023 - 6/7 for the rights and fundamental freedoms of the complainant, and the efficiency of her intervention, to decide whether it considers it appropriate to deal with the complaint in depth. In this case, the Litigation Chamber notes that there are legal proceedings underway which includes the grievances made in the complaint filed by the complainant with the police on October 7, 2022. However, the Litigation Chamber recalls that it assesses the efficiency of its intervention as well as the means necessary to handle the complaint in a manner in-depth. In this context, given the absence of substantial evidence (see points 21 to 25) and the significant resources that this would imply, the Litigation Chamber concludes that it would not be appropriate to launch an investigation through the Inspection Service to corroborate the complainant's allegations, nor to make decisions parallel to a ongoing legal proceedings. Consequently, the Litigation Chamber decides not to carry out an examination of the merits of the case. 29. In conclusion, the Litigation Chamber decides to proceed with the classification without further action. the complainant's complaint, both for technical reasons and for reasons of expediency. 30. For information purposes, and without this constituting any corrective measure or sanction within the meaning of article 95, §1 of the LCA, the Litigation Chamber recalls nevertheless, any data controller must be able to demonstrate the compliance of its processing with the GDPR, and throughout, by virtue of Article 5.2 of the GDPR. III. Publication and communication of the decision 31. Given the importance of transparency regarding the process decision-making and the decisions of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for this so that the identification data of the parties are directly communicated. 32. In accordance with its policy of dismissal, the Litigation Chamber 5 will communicate the decision to the defendant(s). Indeed, the Litigation Chamber decided to communicate the decisions of dismissal to the defendants by default. There Chambre Litigation, however, refrains from such communication when the complainant requested anonymity with regard to the defendant(s) and when the communication of the decision to the defendant(s), even pseudonymised, nevertheless risks allowing its re- identification . This is not the case in the present case. 5 Data Protection Authority, “Disclosure policy of the Litigation Chamber: 5. – Filing without action will be- Did he publish? Will the opposing party be informed? », June 18, 2021, available on 6ttps://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf. Ibid. Decision 141/2023 - 7/7 FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation, to dismiss this complaint in accordance with article 95, § 1, 3° of the LCA. In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days from its notification, to the Court of Markets (court of Appeal of Brussels), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory request must be 8 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.). To enable it to consider any other possible course of action, the Litigation Chamber refers the complainant to the explanations provided in its policy of dismissal. 9 The Litigation Chamber emphasizes that the classifications without further action are likely to be taken into account by the Data Protection Authority in order to set its future priorities and/or could inspire future initiative investigations by the Inspection Service of the Authority of Data protection. (sé). Hielke HIJMANS President of the Litigation Chamber 7The request contains barely any nullity: 1° indication of the day, month and year; 2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or number business; 3° the surname, first name, address and, where applicable, the status of the person to be summoned; 4° the object and summary of the grounds of the request; 5° indication of the judge who is seized of the request; 6° the signature of the applicant or his lawyer. 8The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to clerk of the court or filed with the registry. 9Data protection authority, “Disclosure policy of the Litigation Chamber: 4. – What can I do if my complaint estclasséesanssuite?”, June 18, 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans- suite-of-the-contentious-chamber.pdf.