APD/GBA (Belgium) - 11/2024: Difference between revisions
From GDPRhub
(Good summary! Please remember to include the relevant GDPR articles inside the summary and elaborate on them before mentioning the conclusion) |
|||
| Line 67: | Line 67: | ||
}} | }} | ||
The Belgian DPA found the controller to have breached [[Article 15 GDPR]] in conjunction with [[Article 12 GDPR|Article 12(3) and (4) GDPR]] for having replied to the complainant's access request insufficiently and exceeding the 1-month deadline. The DPA mandated the controller to comply with the complainant's access request within 30 days. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On March | On 23 March 2023, an employee of the controller consulted an extract of the complainant's personal data stored in the National Register. | ||
After that, the complainant filed an access request, requesting clarification into who accessed their data and for what purpose. Due to not receiving any response regarding the access request, the plaintiff filed a complaint with the Belgian DPA on 14 June 2023. | |||
On August | On 7 August 2023, the controller replied to the access request, acknowledging that it consulted the National Register records of the complainant and that the processing was performed by a professional with specific authorization. However, due to professional secrecy, the controller could not disclose the professional's identity or assess whether the consultation complied with legal and ethical obligations. | ||
=== Holding === | === Holding === | ||
The Belgian DPA stressed that the controller, in its capacity, must comply with a request made by a data subject pursuant to Articles 15 to 22 GDPR, in compliance with the conditions set out in [[Article 12 GDPR|Article 12 GDPR,]] and to provide the data subject with information on the measures taken, as soon as possible and in any event within one month of receipt of the request. | |||
Furthermore, the DPA noted that pursuant to [[Article 5 GDPR#2|Article 5(2) GDPR]] and [[Article 24 GDPR]], the controller should be able to demonstrate its compliance with the data protection principles. | |||
In light of the facts of the case, considering that the complainant clearly exercised their right to access under [[Article 15 GDPR|Article 15 GDPR,]] that on 14 June 2023, the complainant complained to have not received any answer and that the controller only replied on 7 August 2023, the controller exceeded its deadline established in [[Article 12 GDPR|Article 12(3) and (4) GDPR]]. | |||
Therefore, the Belgian DPA found the controller to have breached [[Article 15 GDPR]] in conjunction with [[Article 12 GDPR|Article 12(3) and (4) GDPR]], and it mandated the controller to comply with the complainant's access request within 30 days from the notification of the decision. Additionally, the controller was ordered to inform the DPA about the actions taken in response to the decision within the same timeframe. | |||
== Comment == | == Comment == | ||
This decision emphasizes the right of access under GDPR, particularly highlighting the obligations of data controllers to provide data subjects with access to their personal data and the importance of complying with data subject rights within a timely manner. | |||
== Further Resources == | == Further Resources == | ||
Revision as of 09:32, 14 February 2024
| APD/GBA - DOS-2023-02597 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(2) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 15 GDPR Article 24 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 14.06.2023 |
| Decided: | 22.01.2024 |
| Published: | 22.01.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | DOS-2023-02597 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Autorité de protection des données Gegevensbeschermingsautoriteit (in FR) |
| Initial Contributor: | Diana Rosu |
The Belgian DPA found the controller to have breached Article 15 GDPR in conjunction with Article 12(3) and (4) GDPR for having replied to the complainant's access request insufficiently and exceeding the 1-month deadline. The DPA mandated the controller to comply with the complainant's access request within 30 days.
English Summary
Facts
On 23 March 2023, an employee of the controller consulted an extract of the complainant's personal data stored in the National Register.
After that, the complainant filed an access request, requesting clarification into who accessed their data and for what purpose. Due to not receiving any response regarding the access request, the plaintiff filed a complaint with the Belgian DPA on 14 June 2023.
On 7 August 2023, the controller replied to the access request, acknowledging that it consulted the National Register records of the complainant and that the processing was performed by a professional with specific authorization. However, due to professional secrecy, the controller could not disclose the professional's identity or assess whether the consultation complied with legal and ethical obligations.
Holding
The Belgian DPA stressed that the controller, in its capacity, must comply with a request made by a data subject pursuant to Articles 15 to 22 GDPR, in compliance with the conditions set out in Article 12 GDPR, and to provide the data subject with information on the measures taken, as soon as possible and in any event within one month of receipt of the request.
Furthermore, the DPA noted that pursuant to Article 5(2) GDPR and Article 24 GDPR, the controller should be able to demonstrate its compliance with the data protection principles.
In light of the facts of the case, considering that the complainant clearly exercised their right to access under Article 15 GDPR, that on 14 June 2023, the complainant complained to have not received any answer and that the controller only replied on 7 August 2023, the controller exceeded its deadline established in Article 12(3) and (4) GDPR.
Therefore, the Belgian DPA found the controller to have breached Article 15 GDPR in conjunction with Article 12(3) and (4) GDPR, and it mandated the controller to comply with the complainant's access request within 30 days from the notification of the decision. Additionally, the controller was ordered to inform the DPA about the actions taken in response to the decision within the same timeframe.
Comment
This decision emphasizes the right of access under GDPR, particularly highlighting the obligations of data controllers to provide data subjects with access to their personal data and the importance of complying with data subject rights within a timely manner.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/8
Litigation Chamber
Decision 11/2024 of January 22, 2024
File number: DOS-2023-02597
Subject: Complaint relating to the lack of response to the exercise of the right of access concerning the
consultation of the National Register
The Litigation Chamber of the Data Protection Authority, made up of Mr.
Hielke HIJMANS, president;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of natural persons with regard to the processing of personal data and
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter
“ACL”;
Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to
processing of personal data, hereinafter “LTD”;
Considering the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Has taken the following decision regarding:
The complainant: X, Belgium, hereinafter “the complainant”; .
.
.
The defendant: Y, Belgium, hereinafter “the defendant”. Decision 11/2024 — 2/8
I. Facts and procedure
1. On June 14, 2023, the complainant filed a complaint with the Data Protection Authority.
data (hereinafter “APD”) against the defendant, Y
2. This complaint concerns the lack of response to the complainant's request for access regarding
consultation of the National Register (hereinafter “RN”) by the defendant.
3. On March 23, 2023, the defendant consulted the plaintiff's RN.
4. On June 14, 2023, in the initial complaint form, the complainant explained that he did not obtain
no response as to the reasons for consulting his RN and the identity of the
person who carried out this consultation.
5. On July 3, 2023, the Front Line Service (hereinafter “SPL”) encouraged the complainant to
exercise their rights with the defendant and provide a copy of this correspondence.
6. On an unknown date, the complainant contacted the defendant to ask her
the identity of the person who consulted their RN as well as the reasons for such consultation.
7. On August 7, 2023, the defendant responded to the complainant that it was indeed a professional who
carried out the consultation of his RN. According to the defendant, this consultation is permitted
by deliberation no. 22/2012 of March 14, 2012 of the Sectoral Committee of the National Register of
the Privacy Protection Commission. And, by virtue of this authorization,
defendant may have permanent access to the information referred to in Article 3, first
and second paragraph of the law of August 8, 1983 organizing a National Register of Persons
physical. The defendant specified that this access is authorized for the sole purpose of
communicate to professionals of this order the information they need in the
framework of the tasks that they carry out as (..) in accordance with the said law. However, the
defendant explained that she could not communicate the identity of the professional who
consulted his data due to professional secrecy in accordance with article 11 of the said
law. Furthermore, the defendant explained that it was not competent to examine whether, in the
framework of this consultation, this professional respected the legal obligations and
ethical. Therefore, the defendant informed the plaintiff that “..” of the Order whose
depends on the professional concerned who will carry out these checks and the assessment will be
communicated.
8. On September 29, 2023, the complainant explained to the SPL that he was not satisfied with the response from
the defendant. She also affirmed that, since August 7, 2023, she has not yet
was contacted regarding the checks that the defendant was to carry out. Decision 11/2024 — 3/8
9. On October 27, 2023, the complaint was declared admissible by the SPL on the basis of articles 58
1
and 60 of the LCA and the complaint is transmitted to the Litigation Chamber under article
st 2
62, § 1 of the LCA.
II. Motivation
10. Pursuant to Article 4, § 1 of the LCA, the APD is responsible for monitoring the principles
data protection contained in the GDPR and other laws containing
provisions relating to the protection of the processing of personal data.
11. In application of article 33, § 1 of the LCA, the Litigation Chamber is the body of
administrative litigation of the APD. It receives complaints that the SPL sends to it in
application of article 62, § 1 of the LCA, or admissible complaints. In accordance with
Article 60 paragraph 2 of the LCA, complaints are admissible if they are drawn up in one
national languages, contain a statement of the facts and the necessary information for
identify the processing of personal data to which they relate and which
fall under the jurisdiction of the APD.
12. Pursuant to articles 51 et seq. of the GDPR and article 4, § 1 of the LCA, it is up to the
Litigation Chamber as an administrative litigation body of the APD, to exercise
effective control of the application of the GDPR and to protect freedoms and rights
fundamentals of natural persons with regard to the processing and to facilitate the free flow
personal data within the Union.
13. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order regulations
internal to the DPA, a copy of the file may be requested by the parties. If one of the
parties wish to make use of the possibility of consulting the file, they are required to
contact the secretariat of the Litigation Chamber, preferably via the address
litigationchamber@apd-gba.be.
14. Based on the facts described in the complaint file as summarized above, and on
basis of the powers assigned to it by the legislator pursuant to article 95,
§ 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the complaint; in
the occurrence, the Litigation Chamber decides on the basis of article 58.2.a) of the GDPR and
of article 95, § 1, 4° of the LCA, to send a warning concerning a possible
breach of articles 12.3, 12.4 and article 15 of the GDPR (right of access), for
reasons set out below. Furthermore, in accordance with article 58.2.c) of the GDPR and article
95, § 1, 5° of the LCA, the Litigation Chamber decides to order the party
defendant to comply with the request of the data subject to exercise their
1Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been declared
admissible.
2Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following this complaint,
the file was sent to him. Decision 11/2024 — 4/8
rights, more specifically the right of access, within 30 days from the date of
notification of this decision.
15. The Litigation Chamber takes into consideration the grievance raised by the complainant regarding
the lack of response from the defendant to its request for access, including the
precise date was not specified, but whose response was provided by the defendant on August 7
2023 (see point 7) as well as the recommendations of the SPL dated July 3, 2023 (see point
5) clearly confirm its exercise, in accordance with Article 15 of the GDPR.
16. Article 4(7) of the GDPR defines the “data controller” as “the person
physical or legal entity, public authority, service or other body which, alone or
3
jointly with others, determines the purposes and means of the processing.
17. The Litigation Chamber recalls that the data controller must follow up on the request.
request made pursuant to articles 15 to 22 of the GDPR by the data subject,
in this case an access request provided for by Article 15 of the GDPR, in compliance with the
conditions set out in article 12 of the GDPR.4
18. Under Article 12.1 of the GDPR, it is the responsibility of the data controller to take “
appropriate measures to provide any information referred to in Articles 13 and 14 as well as
to make any communication under Articles 15 to 22 and Article 34 with regard to
concerns the processing of the data subject in a concise, transparent manner,
understandable and easily accessible, in clear and simple terms [...]. ".
19. The Litigation Chamber also emphasizes that it is the responsibility of the data controller
to provide the data subject with information on the measures taken following a
request made in application of articles 15 to 22 of the GDPR, as soon as possible and
in any event within one month of receipt of the request. 5
Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months,
6
given the complexity and number of requests. In such a case, the person responsible
processing informs the data subject of this extension and the reasons for the postponement
7
within one month of receipt of the request.
20. In the event that the data controller does not respond to the request made
by the person concerned, he informs him without delay and at the latest within one
months from receipt of the request of the reasons for its inaction and the possibility
3
According to Article 4, 2) of the GDPR, “processing” of personal data means “any operation or set of operations
carried out or not using automated processes and applied to personal data or sets of data, such as
that the collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation,
use, communication by transmission, broadcasting or any other form of making available, rapprochement or interconnection,
4a limitation, erasure or destruction”.
5GDPR, art. 12.
6GDPR, art. 12.2 and 12.3.
7GDPR, art. 12.3.
GDPR, art. 12.3. Decision 11/2024 — 5/8
to lodge a complaint with a supervisory authority and lodge an appeal
jurisdictional.
21. In addition, the Chamber also recalls that in its capacity as data controller, the party
defendant is required to respect the principles of data protection and must be in
able to demonstrate that these are respected. It must also implement
all measures necessary for this purpose (principle of liability – articles 5.2 and 24 of the
GDPR).
9
22. Finally, the Litigation Chamber recalls that the right of access is one of the requirements
major aspects of the right to data protection, it constitutes the “entrance door” which allows
the exercise of other rights that the GDPR confers on the data subject, such as the right to
rectification, the right to restriction of processing or the right to erasure.
23. Under the terms of article 15.3 of the GDPR, the person concerned also has the right to obtain a
copy of the personal data which is the subject of the processing. Article 15.4 of
GDPR provides that this right to copy cannot infringe the rights and freedoms of others.
24. On the basis of the documents supporting the complaint, the Litigation Chamber finds that the complainant
has effectively exercised his right of access, in accordance with article 15.1 of the GDPR (see points
5, 6, 7, 15). SPL recommendations dated July 3, 2023, combined with the response
of the defendant dated August 7, 2023, clearly confirm the exercise of this right. There
Litigation Chamber adds that the defendant indicated, in its letter of August 7
2023, that the “..” of the Order to which this professional concerned depends will carry out
verifications and will communicate the results resulting from these verifications. Bedroom
Contentious note that the complainant submitted his complaint to the APD on September 29, 2023,
thus exceeding the response times allocated to the data controller under the
articles 12.3 and 12.4 of the GDPR. Finally, the Litigation Chamber emphasizes that if the party
defendant had fully complied with the requirements set out in Article 12 of the GDPR, it
would have taken into account the request for access by communicating the aforementioned assessment (see
point 8).This approach would have potentially avoided the complainant having to initiate a procedure
in front of the ODA.
25. Following the above-mentioned analysis, the Litigation Chamber considers that the party
defendant could have committed a violation of the following provisions: article 15 of the
8GDPR, art. 12.4.
9Under the terms of this article 15, the data subject has the right to obtain from the data controller confirmation that the data to be
personal nature concerning them are or are not processed and, when they are, access to said personal data as well as
that the following information (article 15.1. of the GDPR): the purposes of the processing (a), the categories of personal data (b), the
recipients or categories of recipients of the data (c), the retention period (d), information relating to other rights that
confers the GDPR (e), the right to lodge a complaint with the data protection authority (f), any information relating to the source
data when this has not been collected from the person concerned (g) and the existence of automated decision-making
(h). Article 15.2 of the GDPR provides that if the data is transferred to a third country or an international organization, the person
concerned has the right to be informed of the appropriate guarantees regarding this transfer, in accordance with Article 46 of the GDPR. Article 15.3.
of the GDPR provides that the data controller must provide a copy of the personal data subject to processing. He
may charge a reasonable fee for additional copies. If the data subject makes their request electronically, the
Information must be provided in a standard electronic form, unless the individual requests otherwise. Decision 11/2024 — 6/8
GDPR, combined with articles 12.3 and 12.4 of the GDPR; what justifies making a decision
prima facie by the Litigation Chamber which is as follows: under article
58.2.c) of the GDPR and article 95, §1, 5° of the LCA, to order the defendant to
comply with the complainant’s request to exercise their right of access.
26. This decision is a prima facie decision taken by the Litigation Chamber
in accordance with article 95 of the LCA on the basis of the complaint lodged by the complainant,
as part of the “procedure prior to the substantive decision” and does not constitute a
decision on the merits of the Litigation Chamber within the meaning of article 100 of the LCA.
27. The purpose of this decision is to inform the defendant, presumed responsible
of the processing, due to the fact that it may have committed a violation of the provisions of the GDPR,
in order to enable it to still comply with the aforementioned provisions.
28. If, however, the defendant party does not agree with the content of this
prima facie decision and considers that it can put forward factual arguments and/or
legal issues which could lead to another decision, it may address to the Chamber
Litigation a request for processing on the merits of the case via the email address
litigationchamber@apd-gba.be, within 30 days after notification of the
this prima facie decision. If applicable, the execution of this decision is
suspended for the aforementioned period.
29. In the event of continued processing of the case on the merits, under Articles 98, 2° and 3°
juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their
conclusions and attach to the file all the documents they consider useful. If applicable, the
This decision is permanently suspended.
30. With a view to transparency, the Litigation Chamber finally emphasizes that a
treatment of the case on the merits may lead to the imposition of the measures mentioned in
section 100 of the LCA .11
31. Finally, the Litigation Chamber further draws attention to the following:
1Section 3, Subsection 2 of the LCA (articles 94 to 97 inclusive).
1Art. 100. § 1. The litigation chamber has the power to
1° close the complaint without further action;
2° order the dismissal of the case;
3° pronounce the suspension of the sentence;
4° propose a transaction;
5° issue warnings and reprimands;
6° order to comply with the requests of the person concerned to exercise their rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or definitive ban on processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data;
11° order the withdrawal of the approval of certification bodies;
12° give fines;
13° issue administrative fines;
14° order the suspension of cross-border data flows to another State or an international body;
15° transmit the file to the public prosecutor of the King of Brussels, who will inform it of the action taken in the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 11/2024 — 7/8
If one of the two parties wishes to use the possibility of consulting and copying the file
(article 95, § 2, 3° of the LCA), it must contact the secretariat of the Litigation Chamber,
preferably via the email address litigationchamber@apd-gba.be, in order to set up an appointment
you. If a copy of the file is requested, the documents will if possible be sent by
electronically or, failing that, by ordinary mail
III. Publication of the decision
32. Given the importance of transparency regarding the decision-making process of the Chamber
Contentious, this decision is published on the website of the Protection Authority
Datas. However, it is not necessary for this purpose that the identification data
parts are directly communicated.
FOR THESE REASONS ,
the Litigation Chamber of the Data Protection Authority decides, subject to
the submission of a request by the defendant for treatment on the merits
in accordance with articles 98 e.s. of the LCA:
- under article 58.2.c) of the GDPR and article 95, §1, 5° of the LCA,
to order the defendant to comply with the person's request
concerned to exercise their rights, more specifically the right of access, by providing the
bilitive result as indicated in the email of August 7, 2023; and this within the deadline
30 days from the date of notification of this decision;
- to order the defendant to inform the Protection Authority by e-mail
data (Litigation Chamber) of the follow-up given to this decision,
within the same period, via the email address litigationchamber@apd-gba.be; And
- if the defendant does not comply in a timely manner with what is requested of him
above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s.
of the LCA.
In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days from its notification, to the Court of Markets (court
of Appeal of Brussels), with the Data Protection Authority as defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory request must be
12
The request barely contains nullity:
2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or number
business; Decision 11/2024 — 8/8
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 13
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).
(sé). Hielke H IJMANS
President of the Litigation Chamber
3° the surname, first name, address and, where applicable, the status of the person to be summoned;
4° the object and summary of the grounds of the request;
5° indication of the judge who is seized of the request;
136° the signature of the applicant or his lawyer.
The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to
clerk of the court or filed with the registry.
