APD/GBA (Belgium) - 60/2024: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| Line 63: | Line 63: | ||
}} | }} | ||
The DPA held that a controller failed | The DPA held that a controller failed unlawfully disclosed the data subject's client number in order to consult a public body's database to determine if the data subject could benefit from a preferential price. However, the latter had never made such a request. | ||
== English Summary == | == English Summary == | ||
Revision as of 07:42, 30 April 2024
| APD/GBA - 60/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(f) GDPR Article 24 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 22.04.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 60/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | APD (in FR) |
| Initial Contributor: | nzm |
The DPA held that a controller failed unlawfully disclosed the data subject's client number in order to consult a public body's database to determine if the data subject could benefit from a preferential price. However, the latter had never made such a request.
English Summary
Facts
On 24 October 2023, the data subject received a notification from a public body stating that, after examination of the documents she had submitted to apply for a price reduction with the controller (a private company) in light of her low income ("social tariff"), it had been concluded that she did not meet the criteria. The data subject was a client of the controller.
On 25 October 2023, the data subject responded, indicating that she had not submitted a request of verification with the public body.
On 26 October 2023, the public body responded that the requests were initiated by the controller and provided a summary of the data subject's file containing all the requests made by the controller. It also informed the data subject that another application was pending and that she should lodge a complaint with the controller if these applications had been made by mistakes.
On the same day, the data subject asked that these applications be closed as she never gave consent for them. A day later, she received a new notification from the public body stating, once again, that she did not meet the criteria.
The data subject lodged a complaint with the Belgian DPA ("APD") against the controller for an unlawful transfer of personal data. On 17 November 2023, the controller's DPO indicated that the controller consulted the public body's database to determine the eligibility of another customer, but mistakenly used the data subject's client number. The controller also explained that the public body misunderstood the data subject's request of 26 October 2023 and thought the latter requested a new check to confirm the first request, which led to two refusal notifications. The controller also argued that there was no disclosure of personal data to the public body, and it was simply a consultation of its database, carried out by the controller.
The data subject indicated that her personal data should have never been in the public body's database in the first place.
Holding
Firstly, under Article 5(1)(f) GDPR, the controller must process data in a manner that ensures appropriate security, including protection against unlawful processing, by using appropriate technical or organisational measures. Secondly, Article 24 GDPR establishes that the controller must implement appropriate technical and orgnaisational measures and review and update them when necessary. Finally, Article 32 GDPR gives a non-exhaustive list of these measures.
The APD noted that the controller acknowledged itself that personal data had been transferred to the public body by error. The DPA held that this illustrates that the controller might have breached Articles 5(1)(f), 24 and 32 GDPR by failing to establish technical and organisational measures such as to prevent personal data from being erroneously communicating a customer's personal data such a large number of times.
Therefore, the APD adopted a warning against the controller. This was a prima facie decision.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/6
Litigation Chamber
Decision 60/2024 of April 22, 2024
File number: DOS-2023-04811
Subject: Complaint relating to the unlawful sharing of personal data without consent
prior
The Litigation Chamber of the Data Protection Authority, made up of Mr.
Hielke HIJMANS, president;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of natural persons with regard to the processing of personal data and
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter
“ACL”;
Considering the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Has taken the following decision regarding:
The complainant:
The defendant: Y, hereinafter: “the defendant” Decision 60/2024 — 2/6
I. Facts and procedure
1. On October 26, 2023, the complainant filed a complaint with the Protection Authority
data (hereinafter “the DPA”) against the defendant party, Y (hereinafter “the
defendant"), of whom she is a customer.
2. The subject of the complaint concerns unlawful sharing of personal data by the
defendant without the consent of the plaintiff to a federal public interest organization
(hereinafter “Z”), in order to verify its eligibility for “social tariff” status.
3. On October 24, 2023, the complainant received a notification from Z, indicating that, after review
of the documents she had submitted to request the social tariff from Y, it had been concluded
that it did not meet the conditions set out in article (..) (hereinafter “refusal 1 of the TS”).
4. On October 25, 2023, the defendant reacted to a request from the plaintiff with reference to
the notification of the “refusal1 of the TS” from “Z”, specifying that she had not submitted a request
verification at Z.
5. On October 26, 2023, Z responded to a request from the complainant regarding the verification
of its status for the social tariff. Z reiterated the information previously communicated,
in particular by explaining that the verification requests were initiated by the
defendant (Y) and not by Z himself. Z also provided a summary of the file of the
plaintiff, mentioning all requests made by the defendant, including
a first request dated 10/16, closed by Zfollowing the email of October 24, 2023, as well
that a new request “introduced twice by (the defendant) dated 10/25”.
Finally, Z explained the procedure followed by applicants when requesting
verification of the conditions for granting the social tariff. Z informed the complainant that another
request was in progress and that she should file a complaint with the defendant if
these requests had been submitted in error.
6. The same day, the complainant requested the closure of all requests for “tariff” status
social” in her name, because she had never given her consent for such requests.
She also asked Z to warn the defendant to stop all requests
similar.
7. On October 27, 2023, the complainant received further notification from Z stating that, following
upon examination of the documents she had submitted to request the social rate from Y, it had been
concluded that it did not meet the necessary conditions (hereinafter “refusal 2 of the TS”). THE
same day, the plaintiff filed a complaint against the defendant for illicit transfer
of its data.
8. On November 17, 2023, the data protection officer (hereinafter “DPO”) of the
defendant explained to the complainant that Y consulted Z’s database by mistake Decision 60/2024 — 3/6
to determine eligibility for the social tariff using their customer number, instead of that
from another customer who had requested it. Following the complainant’s first complaint,
The complaint was handled by the same customer service agent who misunderstood the
request and had requested on October 25, 2023 a new verification of the basis of
data from Z to confirm the first request for eligibility for the social tariff dated 16
October 2023. These errors led to two refusal notifications from Z. The DPO held
to clarify that this was not a disclosure of the complainant's personal data
to Z, but of a consultation carried out by Y, and he apologized for the inconvenience caused.
The same day, the complainant reiterated that his data should never have been found in
Z's database.
9. On November 27, 2023, the complaint was declared admissible by the Front Line Service
1
on the basis of articles 58 and 60 of the ACL and the complaint was transmitted to the Chamber
st 2
Litigation under article 62, § 1 of the LCA.
10. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order regulations
internal to the DPA, a copy of the file may be requested by the parties. If one of the
parties wish to make use of the possibility of consulting the file, they are required to
contact the secretariat of the Litigation Chamber, preferably via the address
litigationchamber@apd-gba.be.
II. Motivation
11. The Litigation Chamber notes that article 5.2 of the GDPR provides that any responsible
processing must be able to demonstrate compliance with the first paragraph of the same
article (principle commonly called “accountability”).
12. Point f) of Article 5.1 of the GDPR more specifically provides that the person responsible for
processing must ensure that “technical or organizational measures are put in place
"appropriate", that is to say measures capable of guaranteeing sufficient security of
personal data relating to a data subject, thereby protecting these
of unauthorized or unlawful processing, and accidental events such as their
loss or destruction, in particular.
13. Article 24 of the GDPR specifies that these measures must be subject to review and review.
updating if necessary, and that they must be adopted with regard to “the nature, the
1
Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been
declared admissible.
2Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following
this complaint, the file was sent to him. Decision 60/2024 — 4/6
scope, context and purposes of the processing as well as the risks, including the degree of
probability and severity varies, for the rights and freedoms of natural persons.
14. Article 32 of the GDPR illustrates – without being exhaustive – this obligation to take measures
appropriate technical or organizational arrangements, giving the following examples: “a) the
pseudonymization and encryption of personal data; b) means
to ensure confidentiality, integrity, availability and resilience
constants of processing systems and services; c) means enabling
restore the availability of and access to personal data in
appropriate deadlines in the event of a physical or technical incident; (d) a procedure aimed at testing,
to regularly analyze and evaluate the effectiveness of technical measures and
organizational measures to ensure the security of the processing. »
15. In the present case, the Litigation Chamber notes that the defendant’s DPO recognized
itself that the personal data of the complainant were transferred by
error in Z with three occurrences (see point 8). In this way, it appears that the defendant
could have disregarded articles 5.1.f), 24 and 32 of the GDPR by not having established
technical or organizational measures such as to avoid
communicate in error the personal data of a client such a number of
times.
16. The Litigation Chamber considers that on the basis of the above-mentioned facts, there is reason to
conclude that the defendant may have committed a violation of the provisions of the GDPR, which
which justifies that in this case, a decision is taken in accordance with article
er
95, § 1, ° of the LCA, more precisely the adoption of a warning decision, and this in
particular seen:
17. This decision is a prima facie decision taken by the Litigation Chamber
in accordance with article 95 of the LCA on the basis of the complaint lodged by the complainant,
3
within the framework of the “procedure prior to the substantive decision” and not a decision on the
merits of the Litigation Chamber within the meaning of article 100 of the LCA.
18. The purpose of this decision is to inform the defendant, presumed responsible for the
processing, due to the fact that it may have committed a violation of the provisions of the GDPR,
in order to enable it to still comply with the aforementioned provisions.
19. If, however, the defendant does not agree with the content of this decision
prima facie and considers that it can put forward factual and/or legal arguments which
could lead to another decision, it may address to the Litigation Chamber a
request for processing on the merits of the case via the email address litigationchamber@apd-
gba.be, within 30 days of notification of this decision. The case
3Section 3, Subsection 2 of the LCA (articles 94 to 97 inclusive). Decision 60/2024 — 6/6
Litigation a request for processing on the merits of the case via the email address
litigationchamber@apd-gba.be, within 30 days of notification of this
decision. If applicable, the execution of this decision is suspended for the period
mentioned above.
And, on the other hand, the defendant may lodge an appeal against this decision in accordance with
Article 108, § 1 of the LCA, within 30 days from its notification, to the Court
of Markets (Brussels Court of Appeal), with the Data Protection Authority as a party
defendant. Such an appeal may be introduced by means of an interlocutory request which must
5
contain the information listed in article 1034ter of the Judicial Code. The request
interlocutory must be filed at the registry of the Court of Markets in accordance with article
1034quinquies of the C. jud. , or via the e-Deposit information system of the Ministry of Justice
(article 32ter of the Judicial Code).
(sé). Hielke H IJMANS
President of the Litigation Chamber
5The request contains barely any nullity:
1° indication of the day, month and year;
2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or
Business Number;
3° the surname, first name, address and, where applicable, the status of the person to be summoned;
4° the object and summary of the grounds of the request;
5° indication of the judge who is seized of the request;
6° the signature of the applicant or his lawyer.
6
The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.
