APD/GBA (Belgium) - 161/2022: Difference between revisions
No edit summary |
No edit summary |
||
Line 65: | Line 65: | ||
}} | }} | ||
The Belgian DPA dismissed a complaint of a data subject who received unwanted marketing e-mails. The GDPR was not applicable because the controller was not established in the EEA (Article 3(1) GDPR), it only offered its services incidentally to data subjects in the EEA and it did not use the Euro as accepted currency for payments (Article 3(2) GDPR). | The Belgian DPA dismissed a complaint of a data subject who received unwanted marketing e-mails. The GDPR was not applicable because the controller was not established in the EEA ([[Article 3 GDPR|Article 3(1) GDPR)]], it only offered its services incidentally to data subjects in the EEA and it did not use the Euro as accepted currency for payments ([[Article 3 GDPR|Article 3(2) GDPR]]). | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject received marketing e-mails | The data subject received marketing e-mails twice from a controller in the United Stated (US). This controller had the goal of creating a platform for discussing the challenges and triumphs of Jewish Women by offering writing-workshops and selling a book, which was only available in English. The controller did not accept the Euro as currency for payments. The book could only be delivered to adresses in the US, Canada, and Israel. The data subject claimed it never had any contact with the controller. The controller aldo failed to respond to an erasure request from the data subject within one month. ([[Article 17 GDPR|Article 17]] GDPR). | ||
=== Holding === | === Holding === | ||
The Belgian DPA issued a technical dismissal because the DPA was not authorized to handle the case due to a lack of GDPR applicability. The DPA held that Article 3(1) GDPR was not applicable, because the controller was established in the US and had no establishment in the European Economic Area (EEA). The DPA also determined that Article 3(2) GDPR did not apply. The controller did not comply with all three cumulative requirements for GDPR applicability under Article 3(2) GDPR. The controller complied with the first requirement by not being established in the EEA. However, the controller did not comply with the second requirement because it was not clear whether or not the data subject was actually in EEA territory when he received the e-mails. The controller also failed to comply with the third requirement, because the processing did not relate to ''<nowiki/>'offering of service''s' or ''<nowiki/>'monitoring of behaviour''' | The Belgian DPA issued a technical dismissal because the DPA was not authorized to handle the case due to a lack of GDPR applicability. The DPA held that [[Article 3 GDPR|Article 3(1) GDPR]] was not applicable, because the controller was established in the US and had no establishment in the European Economic Area (EEA). The DPA also determined that [[Article 3 GDPR|Article 3(2) GDPR]] did not apply. The controller did not comply with all three cumulative requirements for GDPR applicability under [[Article 3 GDPR|Article 3(2) GDPR]]. The controller complied with the first requirement by not being established in the EEA. However, the controller did not comply with the second requirement because it was not clear whether or not the data subject was actually in EEA territory when he received the e-mails. The controller also failed to comply with the third requirement, because the processing did not relate to ''<nowiki/>'offering of service''s' or ''<nowiki/>'monitoring of behaviour''' | ||
The DPA determined that there was no ‘''offering of goods and services’'' specifically to data subjects in the EEA (Article 3(2)(a) GPDR). Several elements could be taken into account for this assessment, looking at the specifics of this case ''(‘in concreto’''). The DPA recited several elements from | The DPA determined that there was no ‘''offering of goods and services’'' specifically to data subjects in the EEA ([[Article 3 GDPR|Article 3(2)(a) GPDR]]). Several elements could be taken into account for this assessment, looking at the specifics of this case ''(‘in concreto’''). The DPA recited several elements from recital 23 which provide not enough evidence on its own, such as the accessibility of the controller’s website in the EEA and the posting of an e-mail address, geographical address or phone number without international code on its website. The DPA also referred to [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf EDPB guidelines 03/2018] to support its argument. These guidelines state that in case controllers offer goods and services incidentally or unintentionally to data subjects in the EEA, then any related processing of personal data does not fall under the GDPR. | ||
Since the only available language for the book and workshops was English, the fact that the book could only be delivered in the US, Canada and Israel and the fact that it was only possible to pay in Dollars and Sjekel, the DPA determined that there was no ''offering of goods and services''. The DPA also concluded that there no ''monitoring of behaviour'' because there were no facts in the present case to support this. Therefore, Article 3(2)(a) was not applicable. '' '' | Since the only available language for the book and workshops was English, the fact that the book could only be delivered in the US, Canada and Israel and the fact that it was only possible to pay in Dollars and Sjekel, the DPA determined that there was no ''offering of goods and services''. The DPA also concluded that there no ''monitoring of behaviour'' because there were no facts in the present case to support this. Therefore, [[Article 3 GDPR|Article 3(2)(a) GDPR]] was not applicable. '' '' | ||
The DPA also stated that no other legislation regarding data protection was applicable. Therefore, the DPA was not authorized. It refered to the USA authorities to apply the GDPR in this case. | The DPA also stated that no other legislation regarding data protection was applicable. Therefore, the DPA was not authorized. It refered to the USA authorities to apply the GDPR in this case. |
Revision as of 14:10, 21 November 2022
APD/GBA - 161/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 3(1) GDPR Article 3(2) GDPR Article 17 GDPR Article 77 GDPR |
Type: | Complaint |
Outcome: | Other Outcome |
Started: | 29.08.2022 |
Decided: | 08.11.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 161/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA dismissed a complaint of a data subject who received unwanted marketing e-mails. The GDPR was not applicable because the controller was not established in the EEA (Article 3(1) GDPR), it only offered its services incidentally to data subjects in the EEA and it did not use the Euro as accepted currency for payments (Article 3(2) GDPR).
English Summary
Facts
The data subject received marketing e-mails twice from a controller in the United Stated (US). This controller had the goal of creating a platform for discussing the challenges and triumphs of Jewish Women by offering writing-workshops and selling a book, which was only available in English. The controller did not accept the Euro as currency for payments. The book could only be delivered to adresses in the US, Canada, and Israel. The data subject claimed it never had any contact with the controller. The controller aldo failed to respond to an erasure request from the data subject within one month. (Article 17 GDPR).
Holding
The Belgian DPA issued a technical dismissal because the DPA was not authorized to handle the case due to a lack of GDPR applicability. The DPA held that Article 3(1) GDPR was not applicable, because the controller was established in the US and had no establishment in the European Economic Area (EEA). The DPA also determined that Article 3(2) GDPR did not apply. The controller did not comply with all three cumulative requirements for GDPR applicability under Article 3(2) GDPR. The controller complied with the first requirement by not being established in the EEA. However, the controller did not comply with the second requirement because it was not clear whether or not the data subject was actually in EEA territory when he received the e-mails. The controller also failed to comply with the third requirement, because the processing did not relate to 'offering of services' or 'monitoring of behaviour'
The DPA determined that there was no ‘offering of goods and services’ specifically to data subjects in the EEA (Article 3(2)(a) GPDR). Several elements could be taken into account for this assessment, looking at the specifics of this case (‘in concreto’). The DPA recited several elements from recital 23 which provide not enough evidence on its own, such as the accessibility of the controller’s website in the EEA and the posting of an e-mail address, geographical address or phone number without international code on its website. The DPA also referred to EDPB guidelines 03/2018 to support its argument. These guidelines state that in case controllers offer goods and services incidentally or unintentionally to data subjects in the EEA, then any related processing of personal data does not fall under the GDPR.
Since the only available language for the book and workshops was English, the fact that the book could only be delivered in the US, Canada and Israel and the fact that it was only possible to pay in Dollars and Sjekel, the DPA determined that there was no offering of goods and services. The DPA also concluded that there no monitoring of behaviour because there were no facts in the present case to support this. Therefore, Article 3(2)(a) GDPR was not applicable.
The DPA also stated that no other legislation regarding data protection was applicable. Therefore, the DPA was not authorized. It refered to the USA authorities to apply the GDPR in this case.
The DPA dismissed the complaint (Article 95(1)(3) LCA).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6 Dispute room Decision 161/2022 of 8 November 2022 File number : DOS-2022-03527 Subject : Complaint for failure to comply with a request for data erasure The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mr X, hereinafter referred to as “the complainant”; . . The Defendant: Y, hereinafter referred to as “the Defendant”. Decision 161/2022 - 2/6 I. Facts procedure 1. On 29 August 2022, the complainant lodged a complaint with the Data Protection Authority against the defendant. The complaint concerns the unsolicited sending of newsletters by the defendant. The complainant states that he received unwanted emails from the defendant on July 19, 2022 and August 29, 2022, despite the fact that he never had contact with the defendant. On 20 July 2022, the complainant heeft his request for the right to erasure exercised in accordance with Article 17 GDPR at regard to the defendant. However, he was not allowed to receive an answer to this within the legal framework provided period of 1 month. 2. On October 11, 2022, the complaint will be declared admissible by the Frontline Service on the basis of the Articles 58 and 60 of the WOG and the complaint pursuant to Article 62, §1 of the WOG is forwarded to the Dispute room. II. Justification 3. Based on the elements in the file known to the Disputes Chamber and on the basis of the powers assigned to it by the legislator on the basis of Article 95, §1 WOG, the Disputes room about the further follow-up of the file; in this case, the Disputes Chamber proceeds to: the dismissal of the complaint in accordance with Article 95, §1, 3° WOG, based on the following motivation. 4. In the event of a dismissal, the Disputes Chamber must gradually investigate and motivate: 1 - whether there is insufficient prospect of a conviction, after which a technical dismissal follows; - whether a successful conviction would be technically feasible but on grounds, in general interest, a (further) prosecution is undesirable, followed by a policy dismissal. In the event that more than one soil is disposed of, the discarded soils (or technical 2 and policy dismissal) should be treated in order of importance. 5. Based on the information currently available to the Disputes Chamber, it considers it impossible to follow up on the complaint for the reasons that will be explained below explained. Consequently, it decides to proceed with a technical dismissal. 6. So that the Disputes Chamber - to which the complainant relied on the basis of Article 77 of the GDPR - would be competent to handle his complaint, it is in the first place necessary that the GDPR 1 cf. judgment of the Brussels Court of Appeal (Marktenhof), 2 September 2020, no. 2020/5460, 18. 2Ibid. Decision 161/2022 - 3/6 applies to the facts at issue or whether other legislation relating to data protection that may form the basis of the jurisdiction of the Disputes Chamber, of applies. 7. The AVG only applies if the data processing is within the scope of the AVG fall. 8. With regard to the territorial scope of the GDPR, Article 3 of the GDPR assumes of two different cases. In the first case (Article 3.1 of the GDPR), the data processing carried out in the context of the activities of an establishment of a controller in the territory of the European Economic Area. This first 3 hypothesis therefore presupposes the existence of an establishment on the territory of European Economic Area. The complaint in the present case is against a legal person who is United States of which there is no establishment in the territory of the European Economic Area exists. Article 3.1. of the GDPR therefore does not apply. 9. The second case provided for in article 3.2GDPR specifies that the GDPR applies to the processing of personal data that meet the following three cumulative conditions: - the processing was carried out by a controller who is not established in the European Economic Area; - the processing concerns data subjects who are located on the territory of the European Economic Area; and - these processing activities are related to: a) offering goods or services to these data subjects (Article 3.2.a) GDPR) or b) monitoring their behavior, insofar as this behavior in the European Economic Area takes place (Article 3.2.b) GDPR). 10. On the basis of the documents in the file, the Disputes Chamber is of the opinion that in this case this cumulative conditions are met. With regard to the first condition, the Disputes Chamber established that the defendant is indeed not established in the European Economic Area. For what Concerning the second condition, the Disputes Chamber notes that it is not clear from the complaint whether the the complainant was located in the territory of the European Economic Area. Assuming that the complainant was indeed located in the territory of the European Economic Area in the at the time of the alleged facts - which is therefore not clear from the complaint - has not been fulfilled to the third condition. The processing activity in question is not related to "offering of goods and services" , nor with "monitoring of data subjects' behaviour". 3The concept of establishment is explained in recital 22: Establishment presupposes the effective and effective exercise of activities through sustainable relationships. The legal form of such relationships, whether a branch or a subsidiary with legal personality, is not decisive in this regard. Decision 161/2022 - 4/6 11. The offering of goods and services should be understood as an offer of goods and services specifically aimed at data subjects in the European Economic Area (for example, on a website located outside the borders of the European Economic Area, which offer goods and services in one of the languages of the European Economic Area, with possibility to pay in euros, etc.) . These elements must be assessed in concrete terms to determine whether goods and services are being offered. 5 The Litigation Chamber recalls that Recital 23 confirms that the accessibility of the website of the controller, processor or an intermediary in the European Economic Area Space, the mention on the website of his e-mail or geographical address, or of his telephone number without an international code, does not in itself constitute sufficient evidence that the controller or processor intends to offer goods or services to a data subject in the European Economic Area. In this regard, the Disputes Chamber refers to the Guidelines of the European Data Protection Board (EDPB) stating that when goods or services are inadvertently or incidentally supplied to a person on the territory of the European Economic Area, the related processing of personal data does not fall under the territorial scope of the GDPR. 6 12. In this case, the purpose of the controller is to create an (English) platform where insights and experiences can be shared about the challenges and triumphs of Jewish women. In this context, writing workshops as well as a book with testimonials of Jewish women in Israel for sale. The workshops and the book are only available in in English and are also only offered for sale against payment in dollars and shekels. The book can also only be delivered within the United States of America and Canada on the one hand and Israel on the other hand. The Disputes Chamber therefore concludes that there is no question of an offer of goodsandservicesspecificallyfocusedonthepersonsintheEuropeanEconomicSpace in accordance with Article 3.2.a) GDPR. 13. By "monitoring the behavior of the data subjects", it is understood, the trackingactivitiesofthebehaviourontheinternetbutnotjustthat. More generally it's possible include activities to monitor the behavior of data subjects, such as behavioral advertising, geolocation for direct marketing purposes, the use of cookies or surveillance cameras. There is also the condition that this behavior must take place within the European Economic Area. From the 4see Article 29 Data Working Party, EU General Data Protection Regulation: General Information Document, p.2, available at https://www.appaforum.org/wp-content/uploads/2019/10/appa-gdpr-general-information-document.pdf. 5D. SVANTESSON “Article 3. Territorial scope”, in C. KUNER. the EU General Data Protection Regulation, A Commentary, Oxford University Press 2020, p. 90. 6 EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 18, available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf. 7 EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 19, available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf 8 EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 20, available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf Decision 161/2022 - 5/6 There is no indication in the complaint that there would be any monitoring of the behavior of the person concerned. The The Disputes Chamber therefore concludes that there is no monitoring of the behavior of data subjects in accordance with Article 3.2.a) GDPR. 14. In view of the above, the Disputes Chamber decides that the GDPR does not apply to the facts presented in the complaint. 15. The Disputes Chamber also notes that with regard to the facts in the present complaint, no some other legislation on the protection of personal data applies which means that there are no elements giving rise to its competence. In that case, it belongs to the competent US authorities to apply the GDPR in this case. 16. Since the GDPR does not apply in this case, nor does any other legislation containing provisions contains on the protection of the processing of personal data, which could be the basis constitute the competence of the Data Protection Authority, it is not possible that the The Disputes Chamber will handle your complaint. Pursuant to art. 95, §1, 3° of the law of 3 December 2017 establishing the Data Protection Authority, the Disputes Chamber decides consequently to dismiss the complaint. III.Publication of the decision 17. In view of the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision will be published on the website of the Data Protection Authority. It is however, it is not necessary for the identification of the parties to be directly used for this purpose announced. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - pursuant to art. 95, §1, 3° WOG to dismiss the complaint. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification appeal against this decision to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as Defendant. Such an appeal may be lodged by means of an adversarial petition that the 9 1034terof the Judicial Code, the statements listed should contain .The application to 9The petition states on pain of nullity: Decision 161/2022 - 6/6 contradiction must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). Hielke Hijmans Chairman of the Disputes Chamber 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the name, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and the brief summary of the grounds of the claim; 5° the court before whom the claim is brought; 6° the signature of the applicant or of his lawyer. 10The application with its annex shall be sent, in as many copies as there are interested parties, by registered letter to the clerk of the court or at the registry.