APD/GBA (Belgium) - 74/2024: Difference between revisions
m (→Holding) |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA held that the use of a data subject’s email address for | The DPA held that the use of a data subject’s email address for political advertising purposes must be based on consent. | ||
== English Summary == | == English Summary == | ||
Line 90: | Line 90: | ||
Second, regarding the access request in order to discover the source of the data used, the APD considered that the controller sent vague and imprecise information about the source of the data subject’s personal data. Therefore, the APD concluded that there may have been a breach of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 12 GDPR#1|12(1) GDPR]]. | Second, regarding the access request in order to discover the source of the data used, the APD considered that the controller sent vague and imprecise information about the source of the data subject’s personal data. Therefore, the APD concluded that there may have been a breach of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 12 GDPR#1|12(1) GDPR]]. | ||
Hence, the APD issued a prima facie warning to the controller. | Hence, the APD issued a prima facie warning to the controller. |
Latest revision as of 08:59, 21 May 2024
APD/GBA - 74/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 6 GDPR Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 13(1) ePrivacy directive |
Type: | Complaint |
Outcome: | Upheld |
Started: | 05.04.2024 |
Decided: | 16.05.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 74/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | nzm |
The DPA held that the use of a data subject’s email address for political advertising purposes must be based on consent.
English Summary
Facts
On 30 January 2024, the data subject received an email from a candidate in the June 2024 regional elections (‘controller’), promoting their programme. On 3 January 2024, the data subject responded to the email indicating that Belgian law prohibits political spamming practices. He also indicated that he no longer wished for the controller to use his data, and made an access request, in particular to understand where the controller collected his personal data.
On 5 February 2024, the controller responded to the access request by explaining that the data subject’s personal data was probably already in his address book, although it was possible that friends had given it to him.
On 5 April 2024, the data subject lodged a complaint with the Belgian DPA (‘APD’).
Holding
First, regarding the use of the data subject’s email address for electoral propaganda purposes, Article 6(1)(a) GDPR establishes that the processing of personal data is lawful if the data subject has consented to the processing. Article 13(1) ePrivacy directive states that the use of an email for the purposes of direct marketing may be authorised only if the targeted subscribers have given consent. Furthermore, the APD published a note on the processing of personal data in the context of elections in which it established that the targeting people with political propaganda on the basis of voters’ personal data must be considered direct marketing within the meaning of the GDPR and ePrivacy Directive.
In the present case, the APD noted that the data subject did not give consent to the processing of his email address for direct marketing purposes. Therefore, the DPA held that the controller may have breached Article 6(1)(a) GDPR as well as Article 13(1) ePrivacy directive.
The DPA examined the possibility of invoking legitimate interest under Article 6(1)(f) GDPR as a legal basis. This article establishes that the processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller, unless the interests or fundamental rights and freedoms of the data subject prevail. Recital 47 GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. In CJEU, 4 May 2017, Rigas, C-13/16, the Court of Justice held that Article 6(1)(f) GDPR lays down three cumulative conditions. (i) the pursuit of a legitimate interest by the controller, (ii) the necessity of the processing in order to achieve the legitimate interest pursued and (iii) the fundamental rights and freedoms of the data subject must not prevail.
Regarding the pursuit of a legitimate interest, Belgian law provides that candidates in elections may promote their programme through communications. Moreover, the APD described the controller’s interest as ‘sending direct marketing communications to promote the electoral programme for the regional elections in June 2024’. Thus, the controller’s interest is sufficiently specific that it represents a real and present interest. The APD considered that the controller is pursuing a legitimate interest.
Regarding the necessity of the processing in order to achieve the legitimate interest, the APD took into account the existence of less intrusive means to attain the objective. The DPA considered that an election programme can be promoted by means of flyers placed in people’s mailboxes for example, which is far less intrusive, even if It may require some extra effort. Therefore, the APD held that the direct marketing was not strictly necessary to the legitimate interest pursued, namely the promotion of its electoral programme.
Thus, the APD concluded that the controller may have committed a potential breach of Article 6 GDPR.
Second, regarding the access request in order to discover the source of the data used, the APD considered that the controller sent vague and imprecise information about the source of the data subject’s personal data. Therefore, the APD concluded that there may have been a breach of Articles 5(1)(a) and 12(1) GDPR.
Hence, the APD issued a prima facie warning to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision 74/2024 of May 16, 2024 File number: DOS-2024-00641 Subject: Complaint relating to unlawful collection of personal data as well as spamming in the context of elections. The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke H IJMANS, president, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of data personal character and the free movement of such data, and repealing the Directive 95/46/EC (general data protection regulation), hereinafter “GDPR”; Vula Law of December 3, 2017 establishing the Data Protection Authority, hereinafter after “LCA”; Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to processing of personal data, hereinafter “LTD”; Considering the Internal Regulations as approved by the House of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has taken the following decision regarding: The complainant: Mr. The defendant: Mr. Y, hereinafter “the defendant”. Decision 74/2023 - 2/9 I. Facts and procedure 1. On April 5, 2024, the complainant filed a complaint with the Data Protection Authority. data (hereinafter “the DPA”) against the defendant party, Mr. Y (hereinafter “the party defendant” or “the defendant”). 2. The subject of the complaint concerns an unlawful collection of personal data as well as a unsolicited marketing communication. 3. On January 30, 2024, the plaintiff receives an email from the defendant, a candidate in the elections regional elections of June 2024, aimed at promoting its program. 4. On February 3, 2024, the complainant responded by indicating the provisions of Belgian law prohibiting spam practices policy and right to refuse or withdraw consent to use of their data under Article 13 of the GDPR, including the right not to receive unsolicited communications. The same day, the complainant exercises his right of access in accordance with Article 15 of the GDPR and requests the source and/or method by which the defendant collected the plaintiff's personal data. 5. On February 5, 2024, the defendant responded to the plaintiff's request for access by explaining that his personal data must undoubtedly already be in his address book email. She adds that it is also possible that friends gave her her contact details. 6. On February 22, 2024, the complaint was declared admissible by the First Line Service (hereinafter [1] “SPL”) on the basis of articles 58 and 60 of the LCA and the complaint was transmitted to the Chamber Litigation under article 62, § 1 of the LCA.2] II. Motivation 7. The Litigation Chamber notes that the complainant's grievances relate on the one hand, (a) to the unlawful processing of his data, in particular the use of his electronic address for purposes electoral propaganda purposes; and on the other hand (b) on the exercise of his right of access in order to discover the source of the data used. 8. Firstly, in accordance with article 6.1.a) of the GDPR, processing of data of a personal is lawful if “the person concerned has consented to the processing of their data personal character for one or more specific purposes; (…)”. Section 13.1 of the [Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been declared admissible. [2Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following this complaint, the file was sent to him. Decision 74/2023 - 3/9 Directive 2002/58/EC (hereinafter, “e-Privacy Directive”), applicable in its capacity as Lex Specialis, specifies that “the use (…) of electronic mail for prospecting purposes direct can only be authorized if it targets subscribers who have given their consent prior. » 2 9. Furthermore, in its Recommendation 01/2020, the APD explains that direct marketing also includes the promotion of the aims and ideals of any organization, including policy . The Note in the context of the 2024 elections (hereinafter, “Note 2024) specifies as to she that “there can be no doubt as to the fact that the targeted dissemination of propaganda policy on the personal data base of voters must be considered as “direct marketing” in the sense of the term prospecting in the GDPR and the e-Directive Privacy. »5 10. In this case, the Litigation Chamber notes that the complainant did not give his consent to the processing of personal data, including address personal electronic mail, for direct marketing purposes. Consequently, the defendant could have disregarded article 6.1.a) of the GDPR juncto article 13.1 of the e-Privacy Directive such as interpreted by Recommendation 01/2020 and clarified by Note 2024, by sending a electronic email for the purpose of direct marketing of its electoral program. 11. For exhaustive purposes, the Litigation Chamber examines a legal basis that the defendant could invoke, namely article 6.1.f) of the GDPR. The latter provides that a treatment of personal data is lawful if it “is necessary for the purposes of the legitimate interests pursued by the data controller (…), unless interests or reasons prevail. fundamental rights and freedoms of the person concerned (…)”. Recital 47 of the GDPR specifies that “the processing of personal data for prospecting purposes may be considered as being carried out to meet a legitimate interest. ". 12. The APD recalls in its Note 2024 that “sending electronic messages to the computer of the data subject being particularly intrusive, the interests or freedoms and rights fundamentals of the person concerned in principle weigh more heavily than the legitimate interests of the controller. Sending electronic messages is therefore not admissible only if the person concerned first gives consent for such 1 Article 13.1 of Directive 2002/58/EC of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. 2Recommendation 01/2020 of January 17, 2020 relating to the processing of personal data for the purposes of Direct marketing. Available: https://www.autoriteprotectiondonnees.be/publications/recommandation-n-01-2020.pdf 3Ibid., point 13. 4Note on data processing in the context of elections (2024). Available : https://www.autoriteprotectiondonnees.be/publications/note-sur-le-traitement-des-donnees-dans-le-cadre-des- 5elections.pdf Ibid., p.2. Decision 74/2023 - 4/9 processing of personal data. It is indeed legitimate that the voter must first give consent before such communication for purposes of direct marketing can be addressed to him.” 6 13. In this case, the Litigation Chamber considers it necessary to establish the lawfulness of the processing under the angle of article 6.1.f) of the GDPR. The CJEU stated in its Rigas judgment that this article provides three cumulative conditions; “firstly, the pursuit of a legitimate interest by the responsible for the processing (…), secondly, the need for the processing of data to personal character for the realization of the legitimate interest pursued, and, thirdly, the condition that the fundamental rights and freedoms of the person concerned by the protection data does not prevail. ". It involves applying these three conditions in order to determine whether the data processing carried out by the defendant in this situation is lawful in the sense of article 6.1.f) of the GDPR. 14. As for the first condition of legitimacy of the interest, the EDPB specifies that it must be lawful, 8 sufficiently specific and must represent a real and current interest. The interest of promotion of an electoral program finds its basis in Belgian electoral laws. It is in fact provided for by Belgian law that candidates in electoral elections can promote of their program through communications. The interest is lawful. Furthermore, based on information available, the Litigation Chamber describes the interest of the defendant as such: sending direct marketing communications for program promotion purposes electoral for the regional elections of June 2024. It can therefore be inferred that the interest of the defendant is sufficiently specific and represents a real and present interest. There defendant pursues a legitimate interest. 15. As for the second condition of the necessity of the processing for the realization of the interest legitimate pursuit, it is important to remember that “derogations and restrictions on principle of protection of personal data must operate within the limits of the strictly necessary.” To this end, it is necessary to establish whether less invasive means would could have been used by the defendant to achieve the legitimate interest pursued. The promotion of an electoral program can be made through flyers placed in post office boxes citizens. This practice is common during election periods. Although the flyer submission may require additional effort, the nature is significantly less invasive than that 6 7Ibid., p.19. CJEU Judgment of May 4, 2017, Riga satiksme, C-13/16 ECLI:EU:C:2017:336, para 28, and CJEU, Judgment of December 7, 2023, Joined cases C-26/22 and C-64/22, Schufa, ECLI:EU:C:2023:958, para. 74. 8EDPB Opinion 06/2014 on the notion of legitimate interest of the data controller under Article 7 of the Directive 95/46/EC, p.24. 9In this regard, see the elections.brussels website and more particularly: https://elections.brussels/reglementation-de- campaign. 10 CJEU C-13/16 Rigas Satiksme, paragraph 30; CJEU C-92/09 and C-93/09 Volker und Markis Schecke and Eifert, EU:C:2010:662, item 86; and CJEU C-473/12, IPI, EU:C:2013:715, point 39. Decision 74/2023 - 5/9 represents takes precedence over the effort required. The direct marketing carried out by the defendant is not therefore not strictly necessary for the realization of the legitimate interest pursued, namely the promotion of its electoral program. 16. As for the third criterion for balancing fundamental freedoms and rights. THE conditions of the CJEU triple test are cumulative, the failure of the second criterion renders already the pursuit of the legitimate interest of the potentially illicit defendant in meaning of article 6.1.f) of the GDPR. Given the intrusive and not strictly necessary nature of the direct marketing of the defendant, the Litigation Chamber does not consider it important to carry out this weighting exercise. In addition, it is specified in Note 2024 that “the presence of compelling legitimate grounds for the processing on the part of political parties or of candidates, is deemed not to be fulfilled in the context of sending personalized messages by email or SMS as there is no balance between legitimate interests of the controller to process personal data for the purposes of direct marketing and that of the person concerned not to be disturbed. ”.11 17. In conclusion, the Litigation Chamber considers that the defendant could have committed potential violation of Article 6 of the GDPR by unlawfully processing data personal data of the complainant for electoral propaganda purposes, without having a legal basis appropriate. 18. Secondly, it should be remembered that according to Article 5.1.a) juncto Article 12.1 of the GDPR, every data subject has the right to receive information concerning the origin of their personal data. This information must be provided concisely, transparent, understandable, and easily accessible, in clear and simple terms. 19. It appears from the documents in the file that the defendant may have disregarded Article 5.1.a) juncto article 12.1 of the GDPR by having transmitted vague and imprecise information relating to to the source of the complainant's personal data. Indeed, the terms used in the The defendant's response is imprecise, indicating that the plaintiff's data " […] [had] to be included in a collective email concerning an evening, an activity, a event or a request for a common gift” and that it is also possible that “some friends [have] also sent addresses of friends who they thought could be 12 interested”. 1Note 2024, p.19. 12The annexes to the complaint filed on April 5, 2024. Decision 74/2023 - 6/9 20. In view of the potential breaches observed above, the Litigation Chamber recalls the application rules concerning the processing of personal data in the context of elections. 21. Firstly, the promotion of activities of associations and foundations of a political nature through a solicited or unsolicited communication addressed directly to one or more several natural persons, by any means, involving data processing of a personal nature constitutes “direct marketing” as understood by the GDPR and the 13 e-Privacy Directive. In order to send such communications, the consent of the person(s) person(s) concerned for the purpose of receiving these communications will be necessary (cf. points 7 to 10 of this decision). It is nevertheless legal to carry out propaganda paper election using voter lists, as provided for by electoral laws and subject to certain conditions. 14 22. Secondly, the Litigation Chamber recalls the importance of the principle of finality requiring that personal data be collected for purposes determined, explicit and legitimate, and are not subsequently processed in a manner incompatible with its purposes. Here she recalls her decisions 10/2019, 11/2019 and 39/2020 in which it deemed the reuse of lists incompatible and in violation of the GDPR electoral, clients or citizens concerned by an urban planning project for prospecting for an electoral program in the context of the 2018 elections. 16 23. Thirdly, the Litigation Chamber recalls the conditions inherent to the principle of transparency. The data controller must communicate to the data subject, among other things, the following information relating to the processing of personal data personal; the reasons for the processing, the legal basis on which the processing is based, the identity of the data controller (surname, first name, email address and postal address), the origin of the data as well as the existence of the right to information (see point 11 of this decision), access, rectification and opposition. This information must be transmitted if the data of a personal nature are transmitted by the person concerned as well as if they are not collected from her .8 24. Fourth, the Litigation Chamber recalls the possibility of transmitting a list of voters to a subcontractor, requested to carry out an electoral campaign on behalf of a party 13 Article 13.1 of Directive 2002/58/EC of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. See also: Note (2024), p.19. 14Note 2024, p.11. 15Articles 5.1.b) and 6.4 of the GDPR. 16Decision 39/2020 of July 28, 2020; Decision 11/2019 of November 25, 2019; and Decision 10/2019 of November 25, 2019. 17Articles 5.1.b), 12.1, 13 and 14 of the GDPR. see also: EDPS Declaration 2/2019 on the use of personal data in the context of political campaigns, p.2. 18 Ibid. Decision 74/2023 - 7/9 politician or candidate, as well as the need to first establish a relationship contractual with this subcontractor guaranteeing in particular technical measures and sufficient organizational measures to ensure the security of personal data. 19 25. Recently, the Litigation Chamber recalls that when a person concerned exercises their right to object to the processing of personal data for marketing purposes, including the promotion of an electoral program as detailed above, the data cannot no longer be processed for these purposes and the processing must therefore cease.20 26. The Litigation Chamber considers that on the basis of the above-mentioned facts, there is reason to conclude that the defendant may have committed a violation of the provisions of the GDPR, which justifies that in this case, a decision is taken in accordance with article 95, §1, °4 of the LCA, more precisely the adoption of a warning decision, and this in particular given the potential violations of articles 5.1.a), 6.1.a) and f) and 12.1 of the GDPR and article 13.1 of the Directive e-Privacy. 27. This prima facie decision taken by the Litigation Chamber in accordance with article 95 of the LCA on the basis of the complaint lodged by the complainant, within the framework of the “procedure prior to the substantive decision” and not a decision on the merits of the Litigation Chamber at the meaning of section 100 of the LCA .1 28. The purpose of this decision is to inform the defendant, presumed responsible for the processing, due to the fact that it may have committed a violation of the provisions of the GDPR, in order to to enable it to still comply with the aforementioned provisions. 29. If, however, the defendant does not agree with the content of this decision prima facie facie and considers that it can put forward factual and/or legal arguments which could lead to another decision, it may send to the Litigation Chamber a request for processing on the merits of the case via the email address litigationchambre@apd-gba.be, etc. the period of 30 days after notification of this decision. If applicable, the execution of this decision is suspended for the above-mentioned period. 30. In the event of continued processing of the case on the merits, pursuant to Article 98, 2° and 3° juncto Article 99 of the ACL, the Litigation Chamber will invite the parties to introduce their conclusions and to attach to the file all the documents they consider useful. If applicable, this decision is suspended for the duration of the appeal procedure. 19 Article 28.1 and 28.3 of the GDPR. See also: EDPS Opinion 3/2018 on online manipulation and personal data personal, p.16 20Article 21.2 of the GDPR. 21Section 3, Subsection 2 of the LCA (articles 94 to 97 inclusive). Decision 74/2023 - 9/9 litigationchamber@apd-gba.be, within 30 days of notification of this decision. If applicable, the execution of this decision is suspended for the period mentioned above. And, on the other hand, the defendant may lodge an appeal against this decision in accordance with Article 108, § 1 of the LCA, within 30 days from its notification, to the Court of Markets (Brussels Court of Appeal), with the Data Protection Authority as a party defendant. Such an appeal may be introduced by means of an interlocutory request which must 23 contain the information listed in article 1034ter of the Judicial Code. The request interlocutory must be filed at the registry of the Court of Markets in accordance with article 24 1034quinquies of the C. jud., or via the e-Deposit information system of the Ministry of Justice (article 32ter of the Judicial Code). (sé). Hielke H IJMANS President of the Litigation Chamber 23 The request barely contains nullity: 1° indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or Business Number; 3° the surname, first name, address and, where applicable, the status of the person to be summoned; 4° the object and summary of the grounds of the request; 5° indication of the judge who is seized of the request; 24 6° the signature of the applicant or his lawyer. The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court registry.