APD/GBA (Belgium) - 32/2022: Difference between revisions
No edit summary |
No edit summary |
||
Line 59: | Line 59: | ||
}} | }} | ||
The Belgian DPA held that, under the GDPR, direct marketing via email may not require the data subjects consent, it is still necessary to inform the data subject pursuant to [[Article 14 GDPR|Article 14 GDPR]] at the latest at the time of initial contact. | The Belgian DPA held that, under the GDPR, direct marketing via email may not require the data subjects consent. However, it is still necessary to inform the data subject pursuant to [[Article 14 GDPR|Article 14 GDPR]] at the latest at the time of initial contact. | ||
== English Summary == | == English Summary == |
Revision as of 14:30, 16 March 2022
APD/GBA (Belgium) - 32/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 6(1)(f) GDPR Article 14 GDPR Article 15 GDPR Article 21 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 10.03.2022 |
Published: | 10.03.2022 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 32/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Belgian DPA (in NL) |
Initial Contributor: | kc |
The Belgian DPA held that, under the GDPR, direct marketing via email may not require the data subjects consent. However, it is still necessary to inform the data subject pursuant to Article 14 GDPR at the latest at the time of initial contact.
English Summary
Facts
In April 2020, the data subject requested not to receive any more direct marketing messages from the controller.
In May 2020, the data subject requested from the controller information on any processing of personal data concerning him pursuant to Article 15(1) GDPR after receiving further direct marketing messages via his email and on his mobile phone despite his previous request.Specifically, he asked about the origin of the acquisition of his personal data that allowed the controller to contact him and about the legal basis for the processing to which he claimed that he had not given consent.
The controller responded to the request by stating that it had obtained the data from a contact provider but limited itself to providing only the name of the company. Furthermore, it acknowledged that the data subject had received further messages due to human error.
In September 2020, the data subject filed a complaint with the Belgian DPA (APD/GBA). He complained both about the direct marketing messages which he claimed required consent (Article 6(1)(a) GDPR) and about the reaction to his access request which according to him had violated Articles 15(1), 5(1)(c) and (e) and 14(2)(e) GDPR.
Holding
The DPA partly upheld the complaint. It ordered the controller to comply with the data subject's right to access pursuant to Article 15(1)(g) GDPR. Furthermore, it formulated a warning with regard to the data controller's mentioning of the right to object to the processing in the message with which it first comes into contact with the data subject, so that the data processing in this respect will respect the transparency requirement set out in Articles 5(1)(a), 12, 14 and 21(4) GDPR in the future.
Regarding the direct marketing messages by the controller, the DPA dismissed the complaint. It held that the controller did not require the data subject's consent because it had sufficient legitimate interest in accordance with Article 6(1)(f) GDPR. According to the DPA, this was supported by Recital 47 GDPR which specifically states that direct marketing may be carried out with legitimate interest. Since the data subject's email address was publically available online, the DPA held that he had to have the reasonable expectation that that email address would be used to send him messages and that the controller had thus made use of publicly available information.
In addition, regarding his mobile phone number, the DPA obliged the controller to provide information on the source that formed the basis of the processing since it was unclear how the number was obtained by the controller and thus, it was not possible to assess whether that information had been obtained lawfully.
Regarding the data subject's access request, the DPA held that the controller had not complied with its duty to provide access to the data subject because it had not given the data subject "all available information", Article 15(1)(g) GDPR. Furthermore, the controller had violated Article 21(4) GDPR by not providing the information listed in Article 14 GDPR in its first communication with the data subject. According to the DPA, at the very least, the first message should have contained a link to the privacy policy in which this information is contained in an accessible, concise and clear manner. The fact that the first notice to the complainant did not contain the slightest reference to the information necessary to ensure transparent data processing constitutes an infringement of Articles 5(1)(a), 12(1) and 14 GDPR.
Comment
The decision did not take into account Article 13 ePrivacy Directive which covers unsolicited communications.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/10 Dispute room Decision 32/2022 of 10 March 2022 File number : DOS-2020-04479 Subject : Exercising the right of objection and right of access pursuant to unsolicited advertising messages The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, single chairperson; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: † The complainant: Mr X, hereinafter referred to as “the complainant”; † † The controller: Y, hereinafter referred to as “the controller”, Decision on the merits 32/2022 - 2/10 I. Facts procedure 1. On 8 September 2020, the complainant lodged a complaint with the Data Protection Authority against the controller. 2. The subject of the complaint concerns the exercise by the complainant of his right to object to following the receipt of unwanted advertising sent to him by the controller at the complainant's e-mail address, as well as by contacting his cell phone. The complainant also invokes his right of access, in particular he asks about the origin of the acquisition of his personal data, which means that the controller in was able to contact him by e-mail and by mobile phone, as well as to the legal basis for the processing of are personal data for which the complainant states that he has not given his consent. When the complainant requests more complete information on 4 May 2020 to which he is entitled to pursuant to Article 15.1 of the GDPR – so not only limited to his initial request to provide him with the source and the legal basis for its data processing – this will be accepted by the controller who will provide him with all the information requested on May 28, 2020. from this does the complainant infer that the principle of transparency (Article 5.1 of the GDPR), the principle of minimum data processing (Article 5.1 c) GDPR) and the storage limitation (Article 5.1 e) GDPR) respected. Also, the controller's reply would not have referred to under the competence of the Belgian Data Protection Authority (Article 14.2 e) GDPR) and the complainant has not received the information to which he is entitled under Article 14 GDPR. 3. On March 23, 2021, the complaint will be declared admissible by the Frontline Service on the basis of the Articles 58 and 60 WOG and the complaint on the basis of art. 62, §1 WOG transferred to the Dispute room. II. Justification Legal basis for sending advertising messages – Exercise of the right to object 4. As to the complainant's allegation that the use of personal identification data, in this case his name, e-mail address and mobile phone number, for direct marketing purposes the consent would be required, the Disputes Chamber points out that the consent, but the legitimate interest of the controller as 1 legal basis to process the complainant's identification data for direct marketing 1 1. Processing is only lawful if and insofar as at least one of the following conditions is met: a) the data subject has consented to the processing of his/her personal data for one or more specific purposes; […], Decision on the substance 32/2022 - 3/10 purposes. Recital 47 GDPR expressly states that the processing of personal data for the purpose of direct marketing can be considered as performed with with a view to a legitimate interest (Article 6.1 f) GDPR). So this means that the controller not prior to processing for direct marketing consent from the data subject (Article 6.1 a) GDPR). The controller rightly invokes the legal basis set out in Article 6.1 f) GDPR to process information that is accessible to the public for direct marketing purposes. 5. The factual elements present in the file show that the unwanted message to which the complaint relates was sent by the controller to the 2 e-mail address (…), which was made available online and is therefore accessible to everyone. It making your own contact details available online, such as the e-mail address in this case of the complainant, necessarily implies that it is for the purpose of the person providing the contact details online, to be able to get in touch with the person to whom the contact details relate. Because the complainant makes his contact details publicly available through the publishing it online, it is within his reasonable expectations that his e-mail address may be used to send him messages. The controller has thus of this publicly available data. 6. The complainant does not deny that the email address used by the controller, and thus ipso facto also his name, is accessible to the public. The complainant, on the other hand, believes that specific to his cell phone number, to state that it is not publicly available data, but a private data that cannot be disclosed on the basis of the legitimate interest are processed. The Disputes Chamber notes that the complainant cannot simply claim that his cell phone number is private due to lack of knowledge in his mind about the source that was at the base of the processing of this data and through which the company to which the has appealed to the controller, has come into possession of the mobile phone number of the complainant and subsequently provided it to the controller. On the basis of the factual elements of the file, the Disputes Chamber must determine that it is unclear is how the complainant's mobile number was obtained, which means that it is therefore not it is possible to assess whether this information was obtained lawfully. To that end should provide the controller with information on the source that caused it of the processing of the GSM number (see below, edge nos. 13 et seq.) 7. Against the right of the controller to process personal data pursuant to has a legitimate interest to process for direct marketing purposes, it does state that the f) the processing is necessary for the purposes of pursuing the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject are necessary for the protection of personal data override those interests, in particular where the data subject is a child. 2 See eg (…); (…), Decision on the merits 32/2022 - 4/10 controller must comply with the objection raised by the data subject can be made against the processing of personal data concerning him at any time, without the data subject being required to provide any justification (Article 21.2 GDPR and Article 21.3 GDPR) . The controller has within one month (Article 12.3 GDPR) after receipt of the complainant's request on April 17, 2020 not to send direct marketing messages more, followed by confirmation of the removal of the personal data of the complainant from his file on April 21, 2020. It is true that in the response of April 21, 2020 incorrectly stated that the complainant was registered to be re-registered contacted by the controller. This shortcoming was rectified by the controller on May 28, 2020 in which it admitted that this was based on a human error and the correct representation had to be that the complainant was registered for not to be contacted again by the controller. 8. On the basis of the elements in the file known to the Disputes Chamber, and on the basis of the powers assigned to it by the legislator on the basis of Article 95, §1 WOG, decides the Disputes Chamber about the further follow-up of the file; in this case, the Disputes Chamber to dismiss the complaint as to the legal basis, in accordance with Article 95, §1, 3° WOG, based on the motivation below. 9. In the event of a dismissal, the Disputes Chamber must gradually investigate and motivate: - whether there is insufficient prospect of a conviction, after which a technical dismissal follows; - whether a successful conviction would be technically feasible but on grounds, in general 4 interest, a (further) prosecution is undesirable, followed by a policy dismissal. 10. In the event that more than one ground is being discarded, the discarded grounds (or technically dismissal and policy dismissal) should be treated in order of importance. 11. In the present case, the Disputes Chamber will proceed to a technical dismissal on a single ground, namely because the Disputes Chamber decides that the controller does not has committed an infringement of Article 6.1 of the GDPR. In addition, the controller within the legal period of one month has appropriately followed the request of the complainant causing his e-mail address, including his name, as well as his mobile phone number to no longer be used for direct marketing purposes, so that no infringement of article 12.3 . was also committed GDPR and Articles 21.2 and 21.3 GDPR. 3See in that regard also recital 70 of the GDPR: When personal data is processed for the purpose of direct marketing, the data subject, whether it concerns initial or further processing, have the right at any time and free of charge object to this processing, including in the case of profiling insofar as it relates to direct marketing. Which right must be brought to the attention of the data subject expressly, in a clear manner and separately from other information. 4 Cfr. Judgment Court of Appeal Brussels (Marktenhof), 2 September 2020, no. 2020/5460, 18., Judgment on the merits 32/2022 - 5/10 Exercise of the right of access 12. The Disputes Chamber determines on the basis of the documents that substantiate the complaint that the complainant is entitled to exercised the right of inspection, which was initially aimed at becoming acquainted with this information was obtained. Later, the complainant's request was extended to the full information. 13. The controller has complied with the complainant's first request by to state that he obtained it from a contact provider, but has limited himself to it only provide the name of the company. Article 15.1 g) GDPR nevertheless prescribes that the controller to the data subject “all available information” about the source of must provide the data, if the personal data have not been obtained from the data subject collected. 14. The accountability obligation (Article 5.2 GDPR) of the controller entails note that basic information is provided to the person concerned, ie the complainant, showing that the controller himself processes the data in accordance with the GDPR and prior to the purchase of an address file checks whether that data is lawfully processed by the company that trades in personal data. Thus, the complainant can expect that the data controller provides information about how the company is held obtained from the complainant's contact details, as well as the legal basis on which that personal data is processed by that company in order to demonstrate that the contact details from the complainant were lawfully purchased and processed by the controller. In order to guarantee the rights of the complainant, the controller should also provide the company's contact details. This enables the complainant to to exercise its right of inspection with regard to that company. 15. It is therefore not sufficient for the controller to provide only the name of the company to the complainant without any further specification. As a result, the controller acted in violation of Article 15.1 g) GDPR. 16. The Disputes Chamber is of the opinion that on the basis of the above analysis, concluded that a breach of the provisions of the GDPR was committed, which justifies the taking of a decision on the basis of Article 95, §1, 5° WOG, more specifically to inform the controller Orders to comply with the complainant's exercise of his right of access (Article 5 See the answer provided by the controller on April 21, 2020, to the question d.d. 17 by the complainant. April 2020. 6See the answer provided by the controller on May 28, 2020, to the question asked by the complainant dated 4 May 2020, Decision on the merits 32/2022 - 6/10 15.1 g) GDPR) and this in particular in view of the documents submitted by the complainant showing that the complainant has indeed exercised his right of access, but the controller has not adequately followed this up. 17. When the complainant in a second application requests more complete information under Article 15.1 GDPR - so not only limited to the legal basis stated in point g) -, this is discussed by the controller who provides him with the requested information. This brings the then submit to the complainant that there would be no transparent data processing because the response to the request for access is given in English, while the marketing messages were drawn up in Dutch. The Disputes Chamber notes that the principle of transparency does not contain a language requirement. Transparent information and communication is necessary. Since the complainant was approached by the defendant from his position within his business and English is a common language used in business, are expected that the information given in English was completely transparent. 18. According to the complainant, the retention period was also not clearly defined and it would be an infinite storage period. First of all, the Disputes Chamber notes that the controller indicates to keep the personal data for as long as necessary to to provide the services it provides. To the extent that the relevant personal data is processed for direct marketing purposes, it is sufficient that the controller offers the right of objection to the data subject, which immediately ends if it is exercised applies to the processing of the personal data of the data subject. In that sense, the data processing is not infinite. This is also apparent from the facts, i.e. as soon as the complainant has exercised his right to objected, the processing of his personal data was terminated (Article 21.3 GDPR) and no infringement of Article 5.1 e) GDPR can be established, provided that the controller informs the data subject in a timely and adequate manner about his or her right to objection (see margin no. 21 below). 19. The complainant also cites that the controller is not the competent data protection authority and refers to the German Data protection authority instead of the Belgian authority. The Disputes Chamber points points out that the controller states that the complainant cannot only lodge a complaint with the German Data Protection Authority, but also at the Data Protection Authority 7 where he resides. This is in accordance with Article 77.1 GDPR. Because the complainant in Belgium resides, the controller has complied with the obligation to state that the complainant has the right to lodge a complaint with a supervisory authority, in this case the 7Article 77.1. GDPR. Without prejudice to other possibilities of administrative appeal or a judicial remedy, every person concerned has the right to lodge a complaint with a supervisory authority, in particular in the Member State where he usually resides, his place of work has or where the alleged infringement was committed, if he believes that the processing of his personal data infringement makes on this regulation., Decision on the substance 32/2022 - 7/10 Belgian Data Protection Authority (Article 15.1 f) GDPR). For the sake of completeness, the The dispute chamber still allows the Belgian Data Protection Authority to exercises jurisdiction under Article 55 of the GDPR because the defendant has has its registered office in Belgium and there is no reason to assume that there is a cross-border situation as referred to in Article 56 GDPR. Information obligation 20. The complainant alleges that the obligation to provide information as set out in Article 14 GDPR was breached by the controller. 21. With regard to information on the right to object (Article 14.2 b) GDPR) in particular Article 21.4 of the AVG 8 expressly states that this option, separately from the other information, already in the first message to the person concerned, being in this case the complainant, must be included. However, the message that is the subject of the complaint does not in any way make it the right of objection is clearly communicated to the complainant. What's more, it doesn't contain any reference to this right of objection. Recital 70 GDPR provides, however, that this right expressly, on clear manner and separate from other information, must be brought to the attention of the data subject are being brought . In the absence of notification of this right of objection to the complainant on the the moment he was first contacted, the controller has acted in violation of Article 21.4 of the GDPR. 22. With regard to the other information (Article 14.1 and 14.2 GDPR) that the controller, this provision (Article 14.3 GDPR) requires that this this also takes place at the latest at the time of the first contact with the data subject. The first Prosecutor's notice does not contain any information as such. At least had the first message contain a link to the privacy policy in which, in an accessible manner and in a concise and clear way this information is included. Because the first message to the complainant does not contain the slightest reference to the necessary information to ensure a transparent data processing, there is an infringement of Articles 5.1 a), 12.1 and 14 GDPR. Decision 23. The present decision is with regard to the exercise of the right of access and information obligation a prima facie decision taken by the Disputes Chamber in accordance with Article 95 WOG on the basis of the complaint submitted by the complainant, in the context of the 'procedure' 8 Article 21.4 GDPR. The right referred to in paragraphs 1 and 2 shall be expressly granted at the latest at the time of the first contact with the data subject brought to the attention of the data subject and presented clearly and separately from any other information. 9See footnote 2., Decision on the substance 32/2022 - 8/10 prior to the decision on the merits' and no decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. 24. The purpose of this decision is to inform the controller of the fact that it may have infringed the provisions of the GDPR and that it is in the opportunity to still conform with the aforementioned provisions. 25. However, if the controller does not agree with the content of this prima facie decision and considers that it may allow factual and/or legal arguments money that could lead to a different decision, can be sent to the email address litigationchamber@apd-gba.be submit a request for treatment on the merits of the case to the Disputes Chamber and this within the period of 14 days after notification of this decision. The enforcement of this decision will, if necessary, be during the aforementioned period suspended. 26. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their to submit defenses and to attach to the file any documents they deem useful. The If necessary, this decision will be definitively suspended. 27. For the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may lead to the imposition of the measures stated in Article 100 WOG. 28. Finally, the Disputes Chamber points out the following: 29. If one of the parties wishes to make use of the possibility to consult and copying the file (art. 95, §2, 3° WOG), this should contact the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment to capture. 30. If a copy of the file is requested, the documents will be sent electronically if possible or else delivered by regular mail. III. Publication of the decision 31. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. It is not necessary, however, that the identification data of the parties be published directly., Decision on the merits 32/2022 - 9/10 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - the complaint to the extent that it relates to the legal basis for the shipment of advertising messages, pursuant to Article 95, §1, 3° WOG, to be dismissed in view of the fact that no breach of the GDPR can be established in this regard. - the complaint to the extent to which it relates to the exercise of the right of inspection pursuant to Article 58.2. c) GDPR and Article 95, §1, 5° WOG de order the controller to comply with the complainant's request to exercise its rights, in particular the right of access under Article 15.1 g) GDPR); to order the controller to the Data Protection Authority (Dispute Chamber) by e-mail within the period of 14 days after the notification of this decision of the outcome of this decision via the email address litigationchamber@apd-gba.be; and in the absence of the timely implementation of the above by the controller, to handle the case on the merits ex officio in accordance with Articles 98 et seq. WOG. - to formulate a warning with regard to the controller for with regard to the mention of the right of objection in the message with which he first contacts the data subject, so that the data processing at this point in the future the transparency requirement as stated in Articles 5.1 a), 12, 14 and 21.4 GDPR respects; to request the controller from the Data Protection Authority (Dispute Chamber) by e-mail within the period of 14 days after the notification of this decision of the outcome of this decision in order to To inform the dispute chamber about the adjustment of the procedure (see margin no. 21) via the e-mail email address litigationchamber@apd-gba.be; and In the absence of the timely implementation of the above by the controller, to handle the case on the merits ex officio in accordance with Articles 98 et seq. WOG. Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant., Decision on the merits 32/2022 - 10/10 (Get). Hielke Hijmans Chairman of the Disputes Chamber