APD/GBA (Belgium) - 74/2024: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by the same user not shown)
Line 65: Line 65:
}}
}}


The DPA held that the use of a data subject’s email address for electoral propaganda purposes must be based on consent.
The DPA held that the use of a data subject’s email address for political advertising purposes must be based on consent.


== English Summary ==
== English Summary ==
Line 90: Line 90:


Second, regarding the access request in order to discover the source of the data used, the APD considered that the controller sent vague and imprecise information about the source of the data subject’s personal data. Therefore, the APD concluded that there may have been a breach of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 12 GDPR#1|12(1) GDPR]].  
Second, regarding the access request in order to discover the source of the data used, the APD considered that the controller sent vague and imprecise information about the source of the data subject’s personal data. Therefore, the APD concluded that there may have been a breach of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 12 GDPR#1|12(1) GDPR]].  
Third, the APD reminded the controller of the rules governing the processing of personal data in the context of elections. The promotion of the activities of political associations and foundations by means of a solicited or unsolicited communication addressed directly to one or more natural persons, by any means, involving the processing of personal data must rely on consent. The DPA also stressed the importance of the purpose limitation principle and the transparency principle. The APD also recalled the possibility of transmitting a list of voters to a subcontractor asked to carry out the electoral campaign. However, there must be a prior contractual relationship guaranteeing, in particular, sufficient technical and organizational measures to ensure the security of the personal data. Finally, the DPA insisted on the data subject’s right to object to the processing.


Hence, the APD issued a prima facie warning to the controller.
Hence, the APD issued a prima facie warning to the controller.

Latest revision as of 08:59, 21 May 2024

APD/GBA - 74/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6 GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 13(1) ePrivacy directive
Type: Complaint
Outcome: Upheld
Started: 05.04.2024
Decided: 16.05.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 74/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: nzm

The DPA held that the use of a data subject’s email address for political advertising purposes must be based on consent.

English Summary

Facts

On 30 January 2024, the data subject received an email from a candidate in the June 2024 regional elections (‘controller’), promoting their programme. On 3 January 2024, the data subject responded to the email indicating that Belgian law prohibits political spamming practices. He also indicated that he no longer wished for the controller to use his data, and made an access request, in particular to understand where the controller collected his personal data.

On 5 February 2024, the controller responded to the access request by explaining that the data subject’s personal data was probably already in his address book, although it was possible that friends had given it to him.

On 5 April 2024, the data subject lodged a complaint with the Belgian DPA (‘APD’).

Holding

First, regarding the use of the data subject’s email address for electoral propaganda purposes, Article 6(1)(a) GDPR establishes that the processing of personal data is lawful if the data subject has consented to the processing. Article 13(1) ePrivacy directive states that the use of an email for the purposes of direct marketing may be authorised only if the targeted subscribers have given consent. Furthermore, the APD published a note on the processing of personal data in the context of elections in which it established that the targeting people with political propaganda on the basis of voters’ personal data must be considered direct marketing within the meaning of the GDPR and ePrivacy Directive.

In the present case, the APD noted that the data subject did not give consent to the processing of his email address for direct marketing purposes. Therefore, the DPA held that the controller may have breached Article 6(1)(a) GDPR as well as Article 13(1) ePrivacy directive.

The DPA examined the possibility of invoking legitimate interest under Article 6(1)(f) GDPR as a legal basis. This article establishes that the processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller, unless the interests or fundamental rights and freedoms of the data subject prevail. Recital 47 GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. In CJEU, 4 May 2017, Rigas, C-13/16, the Court of Justice held that Article 6(1)(f) GDPR lays down three cumulative conditions. (i) the pursuit of a legitimate interest by the controller, (ii) the necessity of the processing in order to achieve the legitimate interest pursued and (iii) the fundamental rights and freedoms of the data subject must not prevail.

Regarding the pursuit of a legitimate interest, Belgian law provides that candidates in elections may promote their programme through communications. Moreover, the APD described the controller’s interest as ‘sending direct marketing communications to promote the electoral programme for the regional elections in June 2024’. Thus, the controller’s interest is sufficiently specific that it represents a real and present interest. The APD considered that the controller is pursuing a legitimate interest.

Regarding the necessity of the processing in order to achieve the legitimate interest, the APD took into account the existence of less intrusive means to attain the objective. The DPA considered that an election programme can be promoted by means of flyers placed in people’s mailboxes for example, which is far less intrusive, even if It may require some extra effort. Therefore, the APD held that the direct marketing was not strictly necessary to the legitimate interest pursued, namely the promotion of its electoral programme.

Thus, the APD concluded that the controller may have committed a potential breach of Article 6 GDPR.

Second, regarding the access request in order to discover the source of the data used, the APD considered that the controller sent vague and imprecise information about the source of the data subject’s personal data. Therefore, the APD concluded that there may have been a breach of Articles 5(1)(a) and 12(1) GDPR.

Hence, the APD issued a prima facie warning to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/9




                                                                 Litigation Chamber


                                                      Decision 74/2024 of May 16, 2024

File number: DOS-2024-00641

Subject: Complaint relating to unlawful collection of personal data as well as

spamming in the context of elections.



The Litigation Chamber of the Data Protection Authority, made up of

Mr. Hielke H IJMANS, president, sitting alone;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
relating to the protection of natural persons with regard to the processing of data

personal character and the free movement of such data, and repealing the Directive

95/46/EC (general data protection regulation), hereinafter “GDPR”;


Vula Law of December 3, 2017 establishing the Data Protection Authority, hereinafter

after “LCA”;

Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to

processing of personal data, hereinafter “LTD”;


Considering the Internal Regulations as approved by the House of Representatives on

December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;

Considering the documents in the file;



Has taken the following decision regarding:


The complainant: Mr.


The defendant: Mr. Y, hereinafter “the defendant”. Decision 74/2023 - 2/9



I. Facts and procedure



1. On April 5, 2024, the complainant filed a complaint with the Data Protection Authority.

    data (hereinafter “the DPA”) against the defendant party, Mr. Y (hereinafter “the party

    defendant” or “the defendant”).


2. The subject of the complaint concerns an unlawful collection of personal data as well as a

    unsolicited marketing communication.


3. On January 30, 2024, the plaintiff receives an email from the defendant, a candidate in the elections

    regional elections of June 2024, aimed at promoting its program.


4. On February 3, 2024, the complainant responded by indicating the provisions of Belgian law prohibiting

    spam practices policy and right to refuse or withdraw consent to use

    of their data under Article 13 of the GDPR, including the right not to receive

    unsolicited communications. The same day, the complainant exercises his right of access

    in accordance with Article 15 of the GDPR and requests the source and/or method by which the

    defendant collected the plaintiff's personal data.


5. On February 5, 2024, the defendant responded to the plaintiff's request for access by explaining that

    his personal data must undoubtedly already be in his address book

    email. She adds that it is also possible that friends gave her her contact details.



6. On February 22, 2024, the complaint was declared admissible by the First Line Service (hereinafter
                                                         [1]
    “SPL”) on the basis of articles 58 and 60 of the LCA and the complaint was transmitted to the Chamber
    Litigation under article 62, § 1 of the LCA.2]




II. Motivation


7. The Litigation Chamber notes that the complainant's grievances relate on the one hand, (a) to the

    unlawful processing of his data, in particular the use of his electronic address for purposes

    electoral propaganda purposes; and on the other hand (b) on the exercise of his right of access in order to

    discover the source of the data used.



8. Firstly, in accordance with article 6.1.a) of the GDPR, processing of data of a

    personal is lawful if “the person concerned has consented to the processing of their data

    personal character for one or more specific purposes; (…)”. Section 13.1 of the



[Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been
declared admissible.
[2Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following
this complaint, the file was sent to him. Decision 74/2023 - 3/9



    Directive 2002/58/EC (hereinafter, “e-Privacy Directive”), applicable in its capacity as Lex

    Specialis, specifies that “the use (…) of electronic mail for prospecting purposes

    direct can only be authorized if it targets subscribers who have given their consent


    prior. »


                                                          2
9. Furthermore, in its Recommendation 01/2020, the APD explains that direct marketing

    also includes the promotion of the aims and ideals of any organization, including

    policy . The Note in the context of the 2024 elections (hereinafter, “Note 2024) specifies as to

    she that “there can be no doubt as to the fact that the targeted dissemination of propaganda

    policy on the personal data base of voters must be considered as

    “direct marketing” in the sense of the term prospecting in the GDPR and the e-Directive

    Privacy. »5



10. In this case, the Litigation Chamber notes that the complainant did not give his


    consent to the processing of personal data, including address

    personal electronic mail, for direct marketing purposes. Consequently, the defendant

    could have disregarded article 6.1.a) of the GDPR juncto article 13.1 of the e-Privacy Directive such

    as interpreted by Recommendation 01/2020 and clarified by Note 2024, by sending a

    electronic email for the purpose of direct marketing of its electoral program.



11. For exhaustive purposes, the Litigation Chamber examines a legal basis that the defendant

    could invoke, namely article 6.1.f) of the GDPR. The latter provides that a treatment of

    personal data is lawful if it “is necessary for the purposes of the legitimate interests

    pursued by the data controller (…), unless interests or reasons prevail.

    fundamental rights and freedoms of the person concerned (…)”. Recital 47 of the GDPR

    specifies that “the processing of personal data for prospecting purposes may

    be considered as being carried out to meet a legitimate interest. ".




12. The APD recalls in its Note 2024 that “sending electronic messages to the computer of

    the data subject being particularly intrusive, the interests or freedoms and rights

    fundamentals of the person concerned in principle weigh more heavily than the

    legitimate interests of the controller. Sending electronic messages is therefore not

    admissible only if the person concerned first gives consent for such


1
 Article 13.1 of Directive 2002/58/EC of July 12, 2002 concerning the processing of personal data and the
protection of privacy in the electronic communications sector.
2Recommendation 01/2020 of January 17, 2020 relating to the processing of personal data for the purposes of
Direct marketing. Available: https://www.autoriteprotectiondonnees.be/publications/recommandation-n-01-2020.pdf
3Ibid., point 13.
4Note on data processing in the context of elections (2024). Available :
https://www.autoriteprotectiondonnees.be/publications/note-sur-le-traitement-des-donnees-dans-le-cadre-des-

5elections.pdf
 Ibid., p.2. Decision 74/2023 - 4/9



    processing of personal data. It is indeed legitimate that the voter must

    first give consent before such communication for purposes of

    direct marketing can be addressed to him.” 6




13. In this case, the Litigation Chamber considers it necessary to establish the lawfulness of the processing under

    the angle of article 6.1.f) of the GDPR. The CJEU stated in its Rigas judgment that this article provides

    three cumulative conditions; “firstly, the pursuit of a legitimate interest by the

    responsible for the processing (…), secondly, the need for the processing of data to

    personal character for the realization of the legitimate interest pursued, and, thirdly, the

    condition that the fundamental rights and freedoms of the person concerned by the protection

    data does not prevail. ". It involves applying these three conditions in order to determine whether

    the data processing carried out by the defendant in this situation is lawful in the sense

    of article 6.1.f) of the GDPR.




14. As for the first condition of legitimacy of the interest, the EDPB specifies that it must be lawful,
                                                                             8
    sufficiently specific and must represent a real and current interest. The interest of promotion

    of an electoral program finds its basis in Belgian electoral laws. It is in fact

    provided for by Belgian law that candidates in electoral elections can promote

    of their program through communications. The interest is lawful. Furthermore, based on

    information available, the Litigation Chamber describes the interest of the defendant

    as such: sending direct marketing communications for program promotion purposes

    electoral for the regional elections of June 2024. It can therefore be inferred that the interest of the

    defendant is sufficiently specific and represents a real and present interest. There

    defendant pursues a legitimate interest.



15. As for the second condition of the necessity of the processing for the realization of the interest

    legitimate pursuit, it is important to remember that “derogations and restrictions on

    principle of protection of personal data must operate within the limits of the

    strictly necessary.” To this end, it is necessary to establish whether less invasive means would

    could have been used by the defendant to achieve the legitimate interest pursued. The promotion


    of an electoral program can be made through flyers placed in post office boxes

    citizens. This practice is common during election periods. Although the flyer submission

    may require additional effort, the nature is significantly less invasive than that


6
7Ibid., p.19.
 CJEU Judgment of May 4, 2017, Riga satiksme, C-13/16 ECLI:EU:C:2017:336, para 28, and CJEU, Judgment of December 7, 2023,
Joined cases C-26/22 and C-64/22, Schufa, ECLI:EU:C:2023:958, para. 74.
8EDPB Opinion 06/2014 on the notion of legitimate interest of the data controller under Article 7 of the Directive
95/46/EC, p.24.
9In this regard, see the elections.brussels website and more particularly: https://elections.brussels/reglementation-de-
campaign.
10
  CJEU C-13/16 Rigas Satiksme, paragraph 30; CJEU C-92/09 and C-93/09 Volker und Markis Schecke and Eifert, EU:C:2010:662,
item 86; and CJEU C-473/12, IPI, EU:C:2013:715, point 39. Decision 74/2023 - 5/9



    represents takes precedence over the effort required. The direct marketing carried out by the defendant is not

    therefore not strictly necessary for the realization of the legitimate interest pursued, namely the
    promotion of its electoral program.



16. As for the third criterion for balancing fundamental freedoms and rights. THE

    conditions of the CJEU triple test are cumulative, the failure of the second criterion renders

    already the pursuit of the legitimate interest of the potentially illicit defendant in

    meaning of article 6.1.f) of the GDPR. Given the intrusive and not strictly necessary nature of the

    direct marketing of the defendant, the Litigation Chamber does not consider it important

    to carry out this weighting exercise. In addition, it is specified in Note 2024 that “the
    presence of compelling legitimate grounds for the processing on the part of political parties or

    of candidates, is deemed not to be fulfilled in the context of sending personalized messages

    by email or SMS as there is no balance between legitimate interests

    of the controller to process personal data for the purposes of

    direct marketing and that of the person concerned not to be disturbed. ”.11



17. In conclusion, the Litigation Chamber considers that the defendant could have committed

    potential violation of Article 6 of the GDPR by unlawfully processing data

    personal data of the complainant for electoral propaganda purposes, without having a legal basis

    appropriate.


18. Secondly, it should be remembered that according to Article 5.1.a) juncto Article 12.1 of the GDPR,

    every data subject has the right to receive information concerning the origin of their

    personal data. This information must be provided concisely,

    transparent, understandable, and easily accessible, in clear and simple terms.



19. It appears from the documents in the file that the defendant may have disregarded Article 5.1.a)

    juncto article 12.1 of the GDPR by having transmitted vague and imprecise information relating to

    to the source of the complainant's personal data. Indeed, the terms used in the

    The defendant's response is imprecise, indicating that the plaintiff's data "

    […] [had] to be included in a collective email concerning an evening, an activity, a

    event or a request for a common gift” and that it is also possible that “some

    friends [have] also sent addresses of friends who they thought could be
                 12
    interested”.








1Note 2024, p.19.
12The annexes to the complaint filed on April 5, 2024. Decision 74/2023 - 6/9



20. In view of the potential breaches observed above, the Litigation Chamber recalls the

    application rules concerning the processing of personal data in the context of


    elections.


21. Firstly, the promotion of activities of associations and foundations of a political nature

    through a solicited or unsolicited communication addressed directly to one or more

    several natural persons, by any means, involving data processing


    of a personal nature constitutes “direct marketing” as understood by the GDPR and the
                         13
    e-Privacy Directive. In order to send such communications, the consent of the person(s)

    person(s) concerned for the purpose of receiving these communications will be necessary (cf.

    points 7 to 10 of this decision). It is nevertheless legal to carry out propaganda

    paper election using voter lists, as provided for by electoral laws and

    subject to certain conditions. 14



22. Secondly, the Litigation Chamber recalls the importance of the principle of finality

    requiring that personal data be collected for purposes

    determined, explicit and legitimate, and are not subsequently processed in a manner

    incompatible with its purposes. Here she recalls her decisions 10/2019, 11/2019 and 39/2020

    in which it deemed the reuse of lists incompatible and in violation of the GDPR

    electoral, clients or citizens concerned by an urban planning project for

    prospecting for an electoral program in the context of the 2018 elections. 16



23. Thirdly, the Litigation Chamber recalls the conditions inherent to the principle of

    transparency. The data controller must communicate to the data subject,

    among other things, the following information relating to the processing of personal data

    personal; the reasons for the processing, the legal basis on which the processing is based, the identity


    of the data controller (surname, first name, email address and postal address), the origin of the

    data as well as the existence of the right to information (see point 11 of this decision),

    access, rectification and opposition. This information must be transmitted if the data

    of a personal nature are transmitted by the person concerned as well as if they are not

    collected from her .8



24. Fourth, the Litigation Chamber recalls the possibility of transmitting a list of

    voters to a subcontractor, requested to carry out an electoral campaign on behalf of a party



13
  Article 13.1 of Directive 2002/58/EC of July 12, 2002 concerning the processing of personal data and the
protection of privacy in the electronic communications sector. See also: Note (2024), p.19.
14Note 2024, p.11.
15Articles 5.1.b) and 6.4 of the GDPR.
16Decision 39/2020 of July 28, 2020; Decision 11/2019 of November 25, 2019; and Decision 10/2019 of November 25, 2019.
17Articles 5.1.b), 12.1, 13 and 14 of the GDPR. see also: EDPS Declaration 2/2019 on the use of personal data
in the context of political campaigns, p.2.
18
  Ibid. Decision 74/2023 - 7/9



    politician or candidate, as well as the need to first establish a relationship

    contractual with this subcontractor guaranteeing in particular technical measures and

    sufficient organizational measures to ensure the security of personal data. 19


25. Recently, the Litigation Chamber recalls that when a person concerned exercises

    their right to object to the processing of personal data for marketing purposes,

    including the promotion of an electoral program as detailed above, the data cannot

    no longer be processed for these purposes and the processing must therefore cease.20



26. The Litigation Chamber considers that on the basis of the above-mentioned facts, there is reason to conclude

    that the defendant may have committed a violation of the provisions of the GDPR, which justifies

    that in this case, a decision is taken in accordance with article 95, §1, °4 of

    the LCA, more precisely the adoption of a warning decision, and this in particular given the

    potential violations of articles 5.1.a), 6.1.a) and f) and 12.1 of the GDPR and article 13.1 of the Directive

    e-Privacy.



27. This prima facie decision taken by the Litigation Chamber in accordance with article

    95 of the LCA on the basis of the complaint lodged by the complainant, within the framework of the “procedure

    prior to the substantive decision” and not a decision on the merits of the Litigation Chamber at the

    meaning of section 100 of the LCA .1



28. The purpose of this decision is to inform the defendant, presumed responsible for the

    processing, due to the fact that it may have committed a violation of the provisions of the GDPR, in order to

    to enable it to still comply with the aforementioned provisions.



29. If, however, the defendant does not agree with the content of this decision prima facie

    facie and considers that it can put forward factual and/or legal arguments which could

    lead to another decision, it may send to the Litigation Chamber a request for

    processing on the merits of the case via the email address litigationchambre@apd-gba.be, etc.

    the period of 30 days after notification of this decision. If applicable, the execution of

    this decision is suspended for the above-mentioned period.



30. In the event of continued processing of the case on the merits, pursuant to Article 98, 2° and 3° juncto

    Article 99 of the ACL, the Litigation Chamber will invite the parties to introduce their conclusions

    and to attach to the file all the documents they consider useful. If applicable, this

    decision is suspended for the duration of the appeal procedure.


19
  Article 28.1 and 28.3 of the GDPR. See also: EDPS Opinion 3/2018 on online manipulation and personal data
personal, p.16
20Article 21.2 of the GDPR.
21Section 3, Subsection 2 of the LCA (articles 94 to 97 inclusive). Decision 74/2023 - 9/9



litigationchamber@apd-gba.be, within 30 days of notification of this

decision. If applicable, the execution of this decision is suspended for the period

mentioned above.


And, on the other hand, the defendant may lodge an appeal against this decision in accordance with

Article 108, § 1 of the LCA, within 30 days from its notification, to the Court

of Markets (Brussels Court of Appeal), with the Data Protection Authority as a party


defendant. Such an appeal may be introduced by means of an interlocutory request which must
                                                                          23
contain the information listed in article 1034ter of the Judicial Code. The request

interlocutory must be filed at the registry of the Court of Markets in accordance with article
                  24
1034quinquies of the C. jud., or via the e-Deposit information system of the Ministry of Justice

(article 32ter of the Judicial Code).







(sé). Hielke H IJMANS


President of the Litigation Chamber


































23
  The request barely contains nullity:
    1° indication of the day, month and year;
    2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or
    Business Number;
    3° the surname, first name, address and, where applicable, the status of the person to be summoned;
    4° the object and summary of the grounds of the request;
    5° indication of the judge who is seized of the request;

24 6° the signature of the applicant or his lawyer.
  The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.