APD/GBA (Belgium) - 115/2023: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
Line 67: Line 67:


=== Holding ===
=== Holding ===
The Belgian DPA dismissed the case on ''"policy grounds"'', mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. <s>The DPA takes a strange, and arguably wrong, reading of Article 35 GDPR to justify its dismissal of the complaint.</s> The DPA notes that ''"in order to evaluate the foregoing'' [complaint] ''... the'' [DPA] ''... takes into account the criteria that European Data Protection Authorities handle processing operations with a 'high risk' within the meaning of Article 35 GDPR."''   
The Belgian DPA dismissed the case on ''"policy grounds"'', mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. The DPA notes that ''"in order to evaluate the foregoing'' [complaint] ''... the'' [DPA] ''... takes into account the criteria that European Data Protection Authorities handle processing operations with a 'high risk' within the meaning of Article 35 GDPR."''   


[[Article 35 GDPR]] imposes an obligation upon controllers to conduct a risk assessment of their processing activities, where the processing is likely to result in a high risk to the rights and freedoms of natural persons (Data protection impact assessment or DPIA). The Belgian DPA has taken the concept of high risk processing and has extended it to its criteria used in evaluating complaints.   
[[Article 35 GDPR]] imposes an obligation upon controllers to conduct a risk assessment of their processing activities, where the processing is likely to result in a high risk to the rights and freedoms of natural persons (Data protection impact assessment or DPIA). The Belgian DPA has taken the concept of high risk processing and has extended it to its criteria used in evaluating complaints.   

Revision as of 09:31, 13 September 2023

APD/GBA - 115/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 35 GDPR
Type: Complaint
Outcome: Rejected
Started: 04.07.2023
Decided: 16.08.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 115/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA dismissed a complaint, despite the existence of GDPR breaches. The DPA was of the opinion that the breaches did not result in a "major social and/or personal impact," thus the resources required to investigate the complaint would be disproportionate.

English Summary

Facts

On 4 July 2023, the data subject submitted a complaint to the Belgian DPA. The complaint concerned the repeated occurrence of a data breach. The data subject tried to submit a document to his personal profile on the controller's platform twice but it was submitted to his employer's company account instead. The information incorrectly registered included payment details and the data subject's power of attorney. The data subject filed a complaint against the controller of the platform for data breaches.

Holding

The Belgian DPA dismissed the case on "policy grounds", mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. The DPA notes that "in order to evaluate the foregoing [complaint] ... the [DPA] ... takes into account the criteria that European Data Protection Authorities handle processing operations with a 'high risk' within the meaning of Article 35 GDPR."

Article 35 GDPR imposes an obligation upon controllers to conduct a risk assessment of their processing activities, where the processing is likely to result in a high risk to the rights and freedoms of natural persons (Data protection impact assessment or DPIA). The Belgian DPA has taken the concept of high risk processing and has extended it to its criteria used in evaluating complaints.

The Belgian DPA dismissed the complaint as it found a lack of "major social and/or personal impact." It argued that as a result, there was no reason to further investigate the complaint, despite the existence of prima facie violations of the GDPR.

The Belgian DPA has narrowly interpretted the right to lodge a complaint with a supervisory authority under Article 77 GDPR , concluding that the right to lodge a complaint is not absolute. On this point, the Belgian DPA stated that:

"However, this objective right of complaint does not imply that every complaint can and will be thoroughly investigated by the competent authority, given its intrinsic nature and lack of resources. The Belgian legislator has in this regard explicitly recognised 'the need for theData protection authority to be able to act selectively with a view to an effective and efficient enforcement policy.'"

Comment

https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf

(General criteria "Your complaint is not detailed enough or is not supported by evidence that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your complaint has no major social and/or personal impact.”)

The Belgian DPA has created a test of "major social and/or personal impact" as a criteria for evaluating complaints, even though this test is nowhere to be found in the GDPR. Moreover, the DPA takes the concept of high risk processing from Article 35 GDPR, which is an article directed at controllers and uses it as a basis for evaluating the admissability of complaints.

Article 57 GDPR sets out the tasks afforded to supervisory authorites under the Regultion. A primary task of supervisory authorities is to "monitor and enforce the application of this Regulation" (Article 57(1)(a) GDPR), therefore there is an obligation upon supervisory authorities to enforce against breaches of the GDPR. Commentators recognise that due to the limmited resources afforded to DPAs, DPAs often need to prioritise the complaints brought to them. Hijmans contends that "the need for effectiveness and accountability justifies the conclusion that strategic approaches are not just optional for DPAs but required by the GDPR."[1][2] Therefore, the evaluation and prioritisation of complaints by the Belgian DPA is not contrary to the GDPR. However, its reliance on Article 35 GDPR to do so, is questionable.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/6




                                                                           Litigation room


                                              Decision 115/2023 of 16 August 2023




File number : DOS-2023-02893


Subject : Complaint due to the repeated occurrence of a data breach




The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, sole chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;


Having regard to the rules of internal order, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Having regard to the documents in the file;


Made the following decision regarding:



The complainant: Mr. X, hereinafter “the complainant”


The defendant: Y, hereinafter “the defendant” Decision 115/2023 - 2/6


I. Factual Procedure


    1. The object of the complaint concerns the repeated occurrence of a data breach. complainant

        wanted to have a document registered on his personal […] user profile, but

        the payment request and the actual power of attorney were both initially (incorrectly)

        registered on the account of the company […]instead of the personal[…]-

        user profile of the complainant as an individual citizen.

       The personal data that was available through the […] user profile is at least the

       names of the relevant principals and holders of [the document].On the basis of the documents

       attached to the complaint, it is unclear whether the contents of [the document] are also available

       wash (see below). If this was the case, then the national register number and the

       addresses of those involved can be consulted.

    2. On July 4, 2023, the complainant submits a complaint to the Data Protection Authority against

        defendant.


    3. On August 14, 2023, the complaint will be declared admissible by the First Line Service on

        pursuant to Articles 58 and 60 of the WOG and the complaint is settled pursuant to Art. 62, § 1 WOG

        submitted to the Disputes Chamber.


II. Motivation


    4. On the basis of the elements in the file known to the Litigation Chamber, and on the basis

        of the powers conferred on it by the legislator pursuant to Article 95, § 1 WOG

        assigned, the Litigation Chamber decides on the further follow-up of the file; in this case

        the Disputes Chamber will proceed to dismiss the complaint in accordance with Article 95,

        § 1, 3° WOG, on the basis of the following motivation.

    5. When a complaint is dismissed, the Disputes Chamber makes its decision

        step-by-step motivation and:


            - declare a technical dismissal if the file is not sufficient or not sufficient

               contains elements that could lead to a conviction, or if there are not enough
               there is a prospect of a conviction for a technical impediment,

               as a result of which it cannot reach a decision;


            - or pronounce a policy dismissal, if despite the presence of elements

               which may lead to a sanction, the continuation of the investigation of the

               dossier does not seem appropriate in the light of the priorities of the




1Court of Appeal Brussels, Section Marktenhof, 19 Chamber A, Chamber for Market Affairs, Judgment 2020/AR/329, 2 September 2020,
p. 18. Decision 115/2023 - 3/6


               Data Protection Authority, as specified and explained in the

               dismissal policy of the Litigation Chamber . 2


    6. In the present file, the Disputes Chamber proceeds to dismiss the complaint,

        based on policy grounds for dismissal. What follows is the basis of the

        decision of the Disputes Chamber why it considers it undesirable to take further action

        to the file and therefore decides not to proceed, inter alia, with a treatment

        ground.


    7. First of all, the Disputes Chamber checks, in accordance with its dismissal policy, whether the submitted

        complaint contains grievances with a major social and/or personal impact . 4

        In order to evaluate the foregoing, the Litigation Chamber takes into account the criteria that

        European data protection authorities handle processing operations with a “high

        risk” within the meaning of Article 35 GDPR.


        In this case, the Disputes Chamber establishes that the processing in question is subject to the complaint

        The allegations filed by the complainant prima facie cannot be accommodated

        one of the cases listed in Article 35.3 GDPR. 5


    8. The Disputes Chamber also takes into account that the principal of [the document] (Z)

        does not submit a complaint himself and that the email address used by the complainant refers to the

        relevant company (…) which may explain the cause of the error/mistake. although

        such an error (particularly if it occurs twice)

        is regrettable, the Disputes Chamber is of the opinion that the complaint does not fall under one of the

        criteria taken into account to identify major data processing operations

        societal and/or personal impact, such as through the

        Data Protection Authority described in its dismissal policy. The Dispute Room

        weighs the personal consequences of the circumstances of the complaint for the

        fundamental rights and freedoms of the complainant against the effectiveness of her

        action when it decides whether it considers it appropriate to deal with the complaint further.


    9. This does not mean that the Dispute Chamber lawfully determines that there has been no violation

        occurred, but that the resources required to deal with the complaint are provided



2
 In this regard, the Litigation Chamber refers to its dismissal policy as set out in detail on the website of the GBA:
https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf
3It concerns 3.2.1 (General criteria for gr“Your complaint is not detailed enough or is not supported by evidence
that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your
complaint has no major social and/or personal impact.”

4Ibid, Section 3.2.1. p. 9.
5A) A systematic and comprehensive assessment of personal aspects of natural persons, which is based on

automated processing, including profiling, and on which decisions are based on which the natural
person have legal consequences or which similarly significantly affect the natural person;
b) Large-scale processing of special categories of personal data as referred to in Article 9(1) or of data
in relation to criminal convictions and offenses referred to in Article 10; or

c) Systematic and large-scale monitoring of publicly accessible spaces. Decision 115/2023 - 4/6



        be (possibly) excessive, as the complaint does not involve any major social and/or
                                 6
        has a personal impact.

    10. In addition, the Disputes Chamber is of the opinion that ground for dismissal B.5 applies.

        Since it has already been shown that there does not seem to be a large

        social and/or personal impact, the Disputes Chamber only checks whether there is

        case, there is sufficient detailed evidence to support a decision of the

        Litigation room possible.


    11. The complainant informs the Disputes Chamber that access is via the […] user profile

        would have been possible until [the] completed [document], but this does not appear as such

        from the documents – here only a blank [document] is linked to the […]

        user profile. The Disputes Chamber also learns that the complainant is in contact

        recorded with the defendant via the online complaint form of […], but none here

        further heeded. However, the complainant has not attached a copy of this complaint

        and it is therefore unclear to the Litigation Chamber whether the complainant has rights in this complaint

        under theGDPR is merely mentioning the alleged dataseemsancillary

        measures (the dismissal of the employee in question), independent of the GDPR.


 12. Despite the fact that the Disputes Chamber can establish prima facie that there are indeed

       breaches of the GDPR have occurred, the Litigation Chamber must take into account

       the lack of documentary evidence and the lack of a high existence

       personal/social impact conclude that the complaint in this case has not been dealt with
       fundamentally required. The Disputes Chamber decides not to act for reasons of expediency

       give to the file. Under Article 77 GDPR, every data subject whose

       personal data is processed within the territorial scope of the GDPR,

       of a complaint law. However, this objective right of complaint does not imply that every complaint is also

       can and will be thoroughly investigated by the competent authority, given its intrinsic nature

       lack of resources. 7 The Belgian legislator has in this regard “the need for the

       Data protection authority to be able to act selectively with a view to a

       effective and efficient enforcement policy” explicitly recognized .


    13. However, the Litigation Chamber points out that, in the event of the receipt of repeated

        similar complaints concerning the same practices/or controller,

        a targeted investigation into the data controller concerned is possible

        be requested from the Inspection Service of the Data Protection Authority. It itself


6
 https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf, section 3.2.2, point
B.5., p. 15.
7cf. Court of Justice EU, Judgment of 16 July 2020, DPC v. Facebook Ireland & Maximillian Schrems, C-311/18, para. 112.

8 Own emphasis in quote, cf. Belgian Chamber of Representatives, Explanatory Memorandum to the
Draft law establishing the Data Protection Authority, Doc. 2648/001 (Parliamentary term 54), available from:
https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&leg
islat=54&dossierID=2648, 51. Decision 115/2023 - 5/6


       after all, the repeated occurrence of such an incident may point to an earlier one

       systemic violation of Articles 25 and/or 32 GDPR, due to the lack of

       appropriate technical and organizational measures to ensure confidentiality and

       to ensure the security of personal data.


    14. In addition, the Disputes Chamber points to the general obligation cf. article 33 AVG vande

       Y to report data leaks to the Data Protection Authority via the appropriate

       channel provided in the event that the incident poses risks to the fundamental

       rights and freedoms of those involved, although the Disputes Chamber cannot immediately determine

       that such risks exist in the present case. Every incident serves
       on the other hand, to be included in the incident register provided for this purpose,

       in accordance with Article 33.5 GDPR.



III. Publication and communication of the decision


    15. Given the importance of transparency with regard to decision-making by the

       Litigation Chamber, this decision will be published on the website of the

       Data Protection Authority. This will include the personal data of the complainant

       anonymized.


    16. In accordance with its filing policy, the Litigation Chamber will give the decision to the defendant
                  9
       to transfer . After all, the Disputes Chamber has decided to dismiss its decisions
       ex officio notification to the defendants. However, the Disputes Chamber waives it

       such notification when the complainant has requested anonymity with respect to it

       of the defendant (and the notification of the decision to the defendant, even if

       it is pseudonymised, nevertheless makes it possible to inform the complainant

       (re)identify . However, that is not the case in the present case.





    FOR THESE REASONS,


    the Disputes Chamber of the Data Protection Authority decides, after deliberation,

    to dismiss the present complaint pursuant to Article 95, § 1, 3° of the WOG.












9Cf. Title 5 – Will the dismissal of my complaint be published? Will the counterparty be notified?
of the dismissal policy of the Litigation Chamber.
10Ibid. Decision 115/2023 - 6/6



Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notification against this decision may be appealed to the Marktenhof (court of

Brussels appeal), with the Data Protection Authority as defendant.


Such an appeal may be made by means of an inter partes petition

must contain the information listed in Article 1034ter of the Judicial Code . It 11

a contradictory petition must be submitted to the Registry of the Market Court

                                                                       12
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).


To enable the complainant to consider other possible remedies, the

Litigation Chamber the complainant to the explanation in its dismissal policy . 13







(get). Hielke HIJMANS


Chairman of the Litigation Chamber




































11 The petition states under penalty of nullity:
 1° the day, month and year;

 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     enterprise number;
 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
     summoned;
 4° the object and brief summary of the means of the claim;

 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer.
12The application with its annex is sent by registered letter, in as many copies as there are parties involved

deposited with the clerk of the court or at the clerk's office.
13Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Litigation Chamber.
  1. Hijmans, Hielke, ' Article 57 Tasks', in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (New York, 2020; online edn, Oxford Academic), https://doi.org/10.1093/oso/9780198826491.003.0099, accessed 6 Sept. 2023.
  2. To note, Prof Dr Hielke Hijmans is President of the Belgian Data Protection Authority.