APD/GBA (Belgium) - 160/2022: Difference between revisions
m (→Holding) |
(Adjusted tenses /// lack of the specified nature of controller added to the facts /// provided links to GDPR articles in the short summary) |
||
Line 69: | Line 69: | ||
}} | }} | ||
The Belgian DPA | The Belgian DPA ordered a controller to fulfill a data subject request. The controller did not respond to an access request ([[Article 15 GDPR]]) and an erasure request ([[Article 17 GDPR]]), resulting in violations of [[Article 12 GDPR|Articles 12(3)]], [[Article 15 GDPR|15(1)]] and [[Article 17 GDPR|17(1) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was | The data subject was called multiple times by the controller, which used different phone numbers. These were national -, foreign - and anonymous numbers. The nature of the controller was not specified in the decision. The data subject asked the controller for a copy of his data ([[Article 15 GDPR|Article 15 GDPR)]] and asked the controller multiple times to remove his data ([[Article 17 GDPR|Article 17 GDPR)]]. The data subject submitted the erasure requests both by e-mail and using the controller’s website. However, the controller never replied. | ||
=== Holding === | === Holding === | ||
The DPA | The DPA held that the data subject properly submitted his access - and erasure requests ([[Article 15 GDPR|Articles 15]] and [[Article 17 GDPR|17 GDPR)]]. The DPA reaffirmed that [[Article 12 GDPR|Article 12(3) GDPR]] and [[Article 12 GDPR|Article 15(4) GDPR]] oblige the controller to provide the data subject with the requested information and remove its personal data within one month. This period can be extended with two additional months for complex requests. However, the controller has to notify and justify this extension to the data subject within the first month. If the controller is unable to follow up on the requests of the data subject, the controller still has to inform the data subject about their incapacity and inform the data subject about their right to file a complaint at the regulatory authority. | ||
The DPA holds that the controller breached [[Article 12 GDPR | The DPA held holds that the controller breached [[Article 12 GDPR|Articles 12(3) GDPR]], [[Article 15 GDPR|Article 15(1) GDPR]] and [[Article 17 GDPR|Article 17(1) GDPR]] by not responding to any request made by the data subject. | ||
The DPA orders the controller to fulfill the data subject requests within 30 days. This order is based on | The DPA orders the controller to fulfill the data subject requests within 30 days. This order is based on Article 95, § 1, 5° WOG (law establishing the Belgian DPA) and [[Article 58 GDPR|Article 58(2)(c) GDPR]]. This order is not a final decision in light of article 100 WOG but a decision in a procedure prior to the decision on the merits. | ||
== Comment == | == Comment == |
Revision as of 11:11, 25 November 2022
APD/GBA - 160/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 15 GDPR Article 17 GDPR Article 17(1) GDPR Wet tot oprichting Gegevensbeschermingsautoriteit |
Type: | Complaint |
Outcome: | Upheld |
Started: | 21.09.2022 |
Decided: | 08.11.2022 |
Published: | 24.11.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 160/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA ordered a controller to fulfill a data subject request. The controller did not respond to an access request (Article 15 GDPR) and an erasure request (Article 17 GDPR), resulting in violations of Articles 12(3), 15(1) and 17(1) GDPR.
English Summary
Facts
The data subject was called multiple times by the controller, which used different phone numbers. These were national -, foreign - and anonymous numbers. The nature of the controller was not specified in the decision. The data subject asked the controller for a copy of his data (Article 15 GDPR) and asked the controller multiple times to remove his data (Article 17 GDPR). The data subject submitted the erasure requests both by e-mail and using the controller’s website. However, the controller never replied.
Holding
The DPA held that the data subject properly submitted his access - and erasure requests (Articles 15 and 17 GDPR). The DPA reaffirmed that Article 12(3) GDPR and Article 15(4) GDPR oblige the controller to provide the data subject with the requested information and remove its personal data within one month. This period can be extended with two additional months for complex requests. However, the controller has to notify and justify this extension to the data subject within the first month. If the controller is unable to follow up on the requests of the data subject, the controller still has to inform the data subject about their incapacity and inform the data subject about their right to file a complaint at the regulatory authority.
The DPA held holds that the controller breached Articles 12(3) GDPR, Article 15(1) GDPR and Article 17(1) GDPR by not responding to any request made by the data subject.
The DPA orders the controller to fulfill the data subject requests within 30 days. This order is based on Article 95, § 1, 5° WOG (law establishing the Belgian DPA) and Article 58(2)(c) GDPR. This order is not a final decision in light of article 100 WOG but a decision in a procedure prior to the decision on the merits.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6 Litigation room Decision 160/2022 of 8 November 2022 File number : DOS-2022-04158 Subject: Complaint due to insufficient follow-up to the right of inspection The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mr X, hereinafter referred to as “the complainant”; . . The defendant: Y, hereinafter “the defendant”. Decision 160/2022 - 2/6 I. Factual Procedure 1. On 21 September 2022, the complainant submitted a complaint to the Data Protection Authority against the defendant. The complainant works in the IT sector and is regularly called by the controller, either via different (foreign) telephone numbers, or anonymously. The complainant indicates that he has already made several requests during these telephone conversations to delete his data, but this was never done. The complainant was allowed nor did we receive a response to the request for data erasure via the website or email regarding his data erasure request which he has sent directly to the data protection officer. On August 16, 2022, the complainant received another email a request for access in accordance with Article 15 GDPR and a request for data erasure in accordance with Article 17 GDPR addressed to the controller, to which he has no received a reply. 2. On 12 October 2022, this complaint was declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint pursuant to Article 62, §1 WOG is transferred to the Disputes Chamber. II. Motivation 3. On the basis of the complaint and the enclosed supporting documents, the Disputes Chamber determines that the the complainant has properly exercised his right to erasure and right of access. 4. With regard to the right of access, the Disputes Chamber refers to Article 15 GDPR. In accordance Article 15 GDPR, the data subject has the right to obtain a confirmation from the controller about whether or not personal data concerning him is being processed and, when that is the case, to obtain access to that personal data and to the following information: a) the processing purposes; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data are or will be provided, in particular recipients in third countries or international organisations; d) if possible, the period during which the personal data is expected to be retained are stored, or if that is not possible, the criteria for determining that period; e) that the data subject has the right to request from the controller that personal data are rectified or erased, or that the processing concerns him personal data is restricted, as well as the right to object to that processing; Decision 160/2022 - 3/6 f) that the data subject has the right to lodge a complaint with a supervisory authority; g) where the personal data is not collected from the data subject, all available information about the source of that data; h) the existence of automated decision-making, including those referred to in Article 22(1) and 4, the profiling referred to, and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subject. 5. Based on Article 17.1 GDPR, the data subject has the right of the controller to obtain the erasure of personal data concerning him without unreasonable delay. 6. Pursuant to Articles 12.3 and 12.4 GDPR, the controller shall inform the data subject within at the latest one month after receipt of the request for access to the requested information and to delete the personal data in question when requesting data erasure. In in the case of complex requests, this period can be extended by a further two months if necessary be extended. The controller shall inform the data subject within one month receipt of the request of such extension. When the controller does not comply with the request of the data subject, he shares it the latter without delay and at the latest within one month of receipt of the request why it request has not been acted upon, and informs him of the possibility of lodging a complaint to a supervisory authority and appeal to the courts. 7. Based on the complaint and the documents submitted by the complainant, the Disputes Chamber will determine that the complainant should not have received any reply from the controller to his request for inspection, nor to his request for data erasure, which constitutes an infringement to Article 12.3 GDPR, Article 15.1 GDPR and Article 17.1 GDPR. 8. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be concluded that the controller has committed a breach of the provisions of the GDPR was committed, which justifies taking a decision pursuant to Article 95, § 1, 5° WOG, in particular to order that the request of the complainant to exercise his rights, in particular the right of access (article 15.1 AVG), and proceed to grant access to the relevant personal data and become complied with the request of the data subject to exercise his rights, in particular the right to data deletion (article 17.1 GDPR), and to delete the relevant data personal data. 9. The present decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of Decision 160/2022 - 4/6 1 the “procedure prior to the decision on the merits” and no decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. 10. The purpose of this decision is to inform the controller of the fact that it may have committed a breach of the provisions of the GDPR and put it in the possibility to still comply with the aforementioned provisions. 11. However, if the controller does not agree with the content of this prima facie decision and considers that it may leave factual and/or legal arguments funds that could lead to a different decision, this can be done via the e-mail address litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the Litigation Chamber and this within the period of 30 days after notification of this decision. The enforcement of this decision will, if necessary, take place during the aforementioned period suspended. 12. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their submit defenses as well as attach any documents they deem useful to the file. The the present decision will, if necessary, be definitively suspended. 13. The Disputes Chamber points out for the sake of completeness so that a hearing on the merits of the case can take place 2 lead to the imposition of the measures referred to in Article 100 WOG. 14. Finally, the Disputes Chamber points out the following: 1Section 3, Subsection 2 WOG (Articles 94 through 97). 2Art. 100. § 1. The Litigation Chamber has the power to: 1° to dismiss a complaint; 2° to order the exclusion from prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data command; 11° order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. §2.If, after application of §1,15°, the Public Prosecutor's Office decides not to institute criminal proceedings, an amicable settlement or to propose mediation in criminal matters referred to in Article 216ter of the Code of Criminal Procedure, or when it Public Prosecution Service has not taken a decision within a period of six months from the day of receipt of the file, the Data Protection Authority decides whether the administrative procedure must be resumed. Decision 160/2022 - 5/6 If one of the parties wishes to make use of the possibility to consult and copying the file (art. 95, § 2, 3° WOG), he must turn to the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment to capture. If a copy of the file is requested, the documents will be sent electronically if possible or otherwise delivered by regular mail. III. Publication of the decision 15. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for this to include the identification data of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: 1. pursuant to Article 58.2, c) GDPR and Article 95, §1, 5° WOG order the defendant that the request of the data subject to exercise his rights is complied with, more determines the right of inspection (article 15.1 AVG), and to grant access to the relevant personal data, and this within a period of 30 days, counting from notification of this decision 2. pursuant to Article 58.2, c) GDPR and Article 95, §1, 5° WOG order the defendant that the request of the data subject to exercise his rights is complied with, more Hielke Hijmansd has the right to erasure (article 17.1 GDPR), and to delete the Chairman of the personal data, and this within a period of 30 days from the notification of this decision; 3. order the defendant to the Data Protection Authority (Litigation Chamber) by e-mail to be informed within the same period of the effect of this decision given via the e-mail address litigationchamber@apd-gba.be; and 4. in the absence of the timely implementation of the above by the defendant, the case to be dealt with on the merits ex officio in accordance with Articles 98 et seq. of the WOG. Decision 160/2022 - 6/6 Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as defendant. Such an appeal may be lodged by means of an inter partes petition that the in art 3 1034terofthe Judicial Codemustcontainenumeratedenumerations. contradictions must be submitted to the Registry of the Market Court in accordance with Article 1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of the Ger.W.). (get). Hielke HIJMANS Chairman of the Litigation Chamber 3 The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 4 The petition with its annex is sent by registered letter in as many copies as there are parties involved the clerk of the court or deposited at the clerk's office.