APD/GBA (Belgium) - 130/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA (Belgium) |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=130/2021 |...")
 
No edit summary
Line 50: Line 50:
}}
}}


The Belgian authority decides not to proceed to a decision on the merits because, despite the GDPR infringement, the controller has made a timely notification and has taken the necessary measures to avoid future infringements.
The Belgian DPA decided not to adopt a decision on the merits against a public authority because, despite the existence of a GDPR infringement, the authority had made a timely notification and taken the necessary measures to avoid future infringements.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 20 September 2021, the data subject filed a complaint to the Belgian Data Protection Authority against the controller. The complaint concerns an unauthorised transfer of personal data within the framework of a GAS procedure.
On 19 August 2021, a data subject (the Complainant) reported illegal dumping to the competent municipal services. The complaint resulted in an official report identifying four suspects. This official report, including its non-anonymised annexes, was then submitted to the competent authority (the Authority) in the framework of a municipal administrative sanction procedure (''Gemeentelijke Administratieve Sanctie'' or 'GAS' procedure). The fine, including its non-anonymised attachments, was then passed on from the Authority to the four suspects. As a result, the four suspects were informed about the identity of the Complainant.
On 19 August 2021, the data subject reported the illegal dumping to the competent municipal services. The complaint resulted in an official report. This official report, including the non-anonymised annexes including the aforementioned report, was then submitted to the controller with a view to drawing up a GAS fine. The fine, including non-anonymised attachments, was passed on to the four suspects.  
 
Subsequently, the data subject indicates that he was approached by one of the four suspects on 16 September 2021 who confronted the data subject with the report of the illegal dumping made by her. In addition, the data subject reports that the GAS fine also displays the personal data of the 3 other suspects.
On 16 September 2021, the Complainant was approached by one of the four suspects; the latter confronted her about her initial complaint on the illegal dumping. The Complainant then realised that her identity had been revealed by the Authority to the four suspects as part of the GAS procedure.
The data subject submits to the authority that personal data were transferred by the controller without consent.
 
On 20 September 2021, the Complainant therefore filed a complaint with the Belgian DPA against the Authority, on the ground that the latter had unlawfully transferred her personal data to the four suspects without her consent within the framework of the GAS procedure.


=== Holding ===
=== Holding ===
The Dispute Resolution Chamber finds that the controller has obtained personal data for a specific purpose, namely taking appropriate action in this case, a fine for illegal dumping problems. The controller cannot pass on the data obtained from the data subject to others without obtaining the prior consent of the data subject.  
The Belgian DPA found that the Authority had obtained personal data for a specific purpose, namely to investigate and impose a fine for illegal dumping. The controller cannot pass on the data obtained from the data subject to others without obtaining the prior consent of the data subject.  
The Dispute Resolution Chamber finds that there has been a breach of the principle of purpose limitation (Art. 5(1)(b) GDPR) as the controller transferred the personal data to the 4 defendants. This was not in accordance with the intended purpose for which the data were provided by the data subject, namely to take appropriate action against illegal dumping. It is an established fact that the recipients of the fine did not belong to the group of possible recipients in order to realise this purpose.  
 
Furthermore, the Court finds that the transfer was made without prior consent, so that there is no legitimate basis for the transfer and, consequently, [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] has not been complied with.
The Dispute Resolution Chamber finds that there has been a breach of the principle of purpose limitation (Art. 5(1)(b) GDPR) as the controller transferred the personal data to the 4 defendants. This was not in accordance with the intended purpose for which the data were provided by the data subject, namely to take appropriate action against illegal dumping. It is an established fact that the recipients of the fine did not belong to the group of possible recipients in order to realise this purpose.
The Controller explicitly acknowledges having committed a serious error, stating that it is extremely important to handle confidential data with care. The Controller also timely reported this incident to the Authority, presenting concrete measures to avoid such incidents in the future.  
 
Furthermore, the Court finds that the transfer was made without prior consent, so that there is no legitimate basis for the transfer and, consequently, [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] has not been complied with.  
 
The Controller explicitly acknowledges having committed a serious error, stating that it is extremely important to handle confidential data with care. The Controller also timely reported this incident to the Authority, presenting concrete measures to avoid such incidents in the future.
 
For these reasons, the Dispute Resolution Chamber has decided not to hear the substance of the case.  
For these reasons, the Dispute Resolution Chamber has decided not to hear the substance of the case.  



Revision as of 10:31, 13 December 2021

APD/GBA (Belgium) - 130/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 6(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.11.2021
Published: 29.12.2021
Fine: None
Parties: n/a
National Case Number/Name: 130/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: autoriteprotectiondonnees (in NL)
Initial Contributor: Jonathan Crabbe

The Belgian DPA decided not to adopt a decision on the merits against a public authority because, despite the existence of a GDPR infringement, the authority had made a timely notification and taken the necessary measures to avoid future infringements.

English Summary

Facts

On 19 August 2021, a data subject (the Complainant) reported illegal dumping to the competent municipal services. The complaint resulted in an official report identifying four suspects. This official report, including its non-anonymised annexes, was then submitted to the competent authority (the Authority) in the framework of a municipal administrative sanction procedure (Gemeentelijke Administratieve Sanctie or 'GAS' procedure). The fine, including its non-anonymised attachments, was then passed on from the Authority to the four suspects. As a result, the four suspects were informed about the identity of the Complainant.

On 16 September 2021, the Complainant was approached by one of the four suspects; the latter confronted her about her initial complaint on the illegal dumping. The Complainant then realised that her identity had been revealed by the Authority to the four suspects as part of the GAS procedure.

On 20 September 2021, the Complainant therefore filed a complaint with the Belgian DPA against the Authority, on the ground that the latter had unlawfully transferred her personal data to the four suspects without her consent within the framework of the GAS procedure.

Holding

The Belgian DPA found that the Authority had obtained personal data for a specific purpose, namely to investigate and impose a fine for illegal dumping. The controller cannot pass on the data obtained from the data subject to others without obtaining the prior consent of the data subject.

The Dispute Resolution Chamber finds that there has been a breach of the principle of purpose limitation (Art. 5(1)(b) GDPR) as the controller transferred the personal data to the 4 defendants. This was not in accordance with the intended purpose for which the data were provided by the data subject, namely to take appropriate action against illegal dumping. It is an established fact that the recipients of the fine did not belong to the group of possible recipients in order to realise this purpose.

Furthermore, the Court finds that the transfer was made without prior consent, so that there is no legitimate basis for the transfer and, consequently, Article 6(1)(a) GDPR has not been complied with.

The Controller explicitly acknowledges having committed a serious error, stating that it is extremely important to handle confidential data with care. The Controller also timely reported this incident to the Authority, presenting concrete measures to avoid such incidents in the future.

For these reasons, the Dispute Resolution Chamber has decided not to hear the substance of the case.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                1/5








                                                                               Dispute room



                                                   Decision 130/2021 of 29 November 2021






File number : DOS-2021-06086



Subject : Complaint regarding the transfer of personal data in the context of a GAS

procedure



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

single chairperson;

Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;



has taken the following decision regarding:



The complainant: Mrs. X “the complainant”;


Defendant Y, hereinafter referred to as “the controller”. Decision 130/2021 - 2/5




I. Facts procedure


    1. On 20 September 2021, the complainant lodged a complaint with the Data Protection Authority

        against the controller.


        The subject of the complaint concerns the transfer of personal data in the context of a GAS

        procedure. On 19 August 2021, the complainant reported the illegal dumping to the competent authorities

        municipal services. Based on this report from the complainant, an inspector or agent of

        the competent police zone draws up an official report. This official report, including the non-

        anonymised attachments, including the aforementioned notification, were then transferred to

        the controller with a view to drawing up the GAS fine. Afterwards made


        the controller the GAS fine by letter, also with appendices, including the

        non-anonymized report from the complainant in turn to each of the four suspects.

        The complainant indicates that he was approached by one of the 4 suspects on September 16, 2021

        who confronted her with the report of the illegal dumping. in addition

        does the complainant state that the personal data of the 3 other persons is also included in the GAS fine?

        suspects are displayed.


    2. On 1 October 2021, the complaint will be declared admissible by the Frontline Service on the basis of the

        Articles 58 and 60 WOG and the complaint on the basis of art. 62, §1 WOG transferred to the

        Dispute room.




II. Competence of the Data Protection Authority


    3. The Disputes Chamber states that the complaint relates to the processing of personal data
                                                                                                    1
        of both the complainant and the other data subjects within the meaning of Article 4, 2° of the GDPR to which the

        GDPR applies.


    4. The GAS service of the controller acts in accordance with the Act on
                                                    2
        the municipal administrative sanction as sanctioning GAS official in the present

        matter. As a controller, they draw up GAS sanctions based on the processes

        verbally as drawn up by the inspectors or agents of the competent police zone. In

        within this framework they also send a copy of the official report and all appendices to the

        suspects.


    5. For this aspect, acting as a sanctioning GAS official and all associated

        processing, the Y acts as a controller and not as a processor of the




1Article 4,2)GDPR:““processing”:anoperation or a set of operations relating to personal data or a set of

of personal data, whether or not performed via automated processes, such as collecting, recording, organizing,
to structure, to store, to update or modify, to request, to consult, to use, to provide by transmission, to distribute
or otherwise make available, align or combine, block, erase or destroy data”
2Law of 24 June 2013 on municipal administrative sanctions, Belgian Official Gazette 1 July 2013. Decision 130/2021 - 3/5




        police zone. Therefore, the Data Protection Authority is authorized to take cognizance of the

        complaint.



III. Justification



    6. The problem presented by the complainant concerns the transfer by the

        controller, without having given his consent, of

        personal data relating to her to 4 suspects of the GAS fine regarding

        illegal dumping.

    7. The Disputes Chamber establishes that the controller is responsible for the personal data,

        know has obtained the name and e-mail address of the complainant with a view to a specific

        purpose, namely to take appropriate measures, in this case a GAS fine to

        to solve the illegal dumping problem in the municipality. The controller may

        Do not pass on information obtained from the complainant as provided in her complaint to others

        without the prior consent of the complainant.


    8. However, it is common ground that the controller will process the complainant's personal data

        as provided through her complaint to the 4 defendants. This was

        was in no way consistent with the intended purpose for which the data was

        provided by the complainant, namely taking appropriate measures to act against

        illegal dumping. It is established that the recipients of the GAS fine for illegal dumping of the complainant did not

        belonged to the group of possible recipients in order to achieve this purpose. Thus

        there is a violation of the purpose limitation principle (Article 5.1 b) GDPR).


    9. In addition, this transfer to the recipients of the GAS fine in question took place without

        to have obtained the prior consent of the complainant for this purpose, so that no

        there was a lawful basis for such transfer and therefore Article 6.1 a) GDPR did not

        was respected.


    10. In view of these findings, the Disputes Chamber is of the opinion that the infringement of Article 5.1 b) GDPR

        and Article 6.1 a) GDPR is proven. However, the controller expressly acknowledges a

        serious mistake in which she herself indicates that it is extremely important to

        handle confidential information with care. The controller has

        also timely reported this incident to the Data Protection Authority, whereby

        some concrete measures have already been presented to prevent these incidents in the future

        to avoid. In view of the aforementioned reasons, the Disputes Chamber decides not to proceed with a

        treatment on the merits of this case.


    11. The present decision is a prima facie decision made by the Disputes Chamber

        in accordance with Article 95WOG on the basis of the complaint lodged by the complainant, in the context of Decision 130/2021 - 4/5




         the “procedure prior to the decision on the merits” and not a decision on the merits of the

         Disputes Chamber within the meaning of Article 100 WOG. As a result, the Disputes Chamber will only


         can impose sanctions listed in Article 95 WOG on the controller and not
                                             4
         the sanctions from article 100 WOG, such as an administrative fine.


    12. The purpose of this decision is to inform the controller of the

         fact that it has committed a violation of the provisions of the GDPR and that it is in the possibility

         to still comply with the aforementioned provisions.


    13. However, if the controller does not agree with the content of this


         prima facie decision and considers that it may allow factual and/or legal arguments

         money that could lead to a different decision, can be sent to the email address

         litigationchamber@apd-gba.be submit a request for treatment on the merits of the case to the

         Disputes Chamber and this within the period of 14 days after notification of this decision. The

         enforcement of this decision will, if necessary, be during the aforementioned period

         suspended.



    14. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will

         the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their

         to submit defenses and to attach to the file any documents they deem useful. The

         If necessary, this decision will be definitively suspended.


    15. For the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may be

         lead to the imposition of the measures stated in Article 100 WOG.



    16. Finally, the Disputes Chamber points out the following:


         If one of the parties wishes to make use of the possibility to consult and

         copying the file (art. 95, §2, 3° WOG), this should contact the secretariat

         of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment



3
 Section 3, Subsection 2 WOG (Articles 94 to 97).
41° to dismiss a complaint;

 2° order the suspension of prosecution;
 3° order the suspension of the judgment;
 4° propose a settlement;
 5° to formulate warnings and reprimands;
 6° order compliance with the data subject's requests to exercise his/her rights;
 7° to order that the data subject is informed of the security problem;
 8° to order that the processing be temporarily or permanently frozen, restricted or prohibited;

 9° to order that the processing is brought into conformity;
 10° the rectification, restriction or deletion of data and notification thereof to the recipients of the data
to command;
 11° to order the withdrawal of the recognition of certification bodies;
 12° to impose periodic penalty payments;
 13° impose administrative fines;

 14° order the suspension of cross-border data flows to another State or an international institution;
 15° to transfer the file to the public prosecutor's office of the Public Prosecutor in Brussels, who will inform it of the consequence that
the file is given;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 130/2021 - 5/5




        to capture. If a copy of the file is requested, the documents will be
                                                       5
        delivered electronically or otherwise by regular mail.



IV. Publication of the decision


    17. Given the importance of transparency in the decision-making of the

        Litigation Chamber, this decision will be published on the website of the

        Data Protection Authority. It is not necessary, however, that the identification data

        of the parties be made public directly.




   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


   - Pursuant to Article 58.2.a) GDPR and Article 95, § 1, 4° WOG, to contact the controller

       warn that intended processing infringes Article 5.1, b) GDPR and Article 6.1 a) GDPR

       matters.




   Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a

   period of thirty days, from the notification, to the Marktenhof, with the

   Data Protection Authority as Defendant.












(get). Hielke Hijmans

Chairman of the Disputes Chamber






















5Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of

the Disputes Chamber is NOT provided. Moreover, in principle all communication takes place electronically.