APD/GBA (Belgium) - 160/2022: Difference between revisions

From GDPRhub
(Adjusted tenses /// lack of the specified nature of controller added to the facts /// provided links to GDPR articles in the short summary)
Line 69: Line 69:
}}
}}


The Belgian DPA orders a controller to fulfill a data subject request. The controller ignored the right of access (Article 15 GDPR) and the right to erasure (Article 17 GDPR). By doing so, the controller breached its transparency obligation (Article 12(3) GDPR) and its obligation to erase personal data (Article 17(1) GDPR).
The Belgian DPA ordered a controller to fulfill a data subject request. The controller did not respond to an access request ([[Article 15 GDPR]]) and  an erasure request ([[Article 17 GDPR]]), resulting in violations of [[Article 12 GDPR|Articles 12(3)]], [[Article 15 GDPR|15(1)]] and [[Article 17 GDPR|17(1) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was being called multiple times by the controller through national, foreign and anonymous numbers. The data subject asked the controller for a copy of their data based on [[Article 15 GDPR|Article 15 GDPR]] and to remove their data according to [[Article 17 GDPR|Article 17 GDPR]]. However, the controller never replied and kept calling.
The data subject was called multiple times by the controller, which used different phone numbers. These were national -, foreign - and anonymous numbers. The nature of the controller was not specified in the decision. The data subject asked the controller for a copy of his data ([[Article 15 GDPR|Article 15 GDPR)]] and asked the controller multiple times to remove his data ([[Article 17 GDPR|Article 17 GDPR)]]. The data subject submitted the erasure requests both by e-mail and using the controller’s website. However, the controller never replied.  


=== Holding ===
=== Holding ===
The DPA holds that the data subject properly submitted its right of access and right to be forgotten under [[Article 15 GDPR|Article 15 GDPR]] and [[Article 17 GDPR|Article 17 GDPR]]. The DPA reaffirms that [[Article 12 GDPR#3|Article 12(3) GDPR]] and [[Article 12 GDPR#4|Article 15(4) GDPR]] oblige the controller to provide the data subject with the requested information and remove its personal within one month. This period can be extended with two additional months for complex requests. However, the controller has to notify and justify this extension to the data subject within the first month. If the controller is unable to follow up on the requests of the data subject, the controller still has to inform the data subject about their incapacity and inform the data subject about their right to file a complaint at the regulatory authority.  
The DPA held that the data subject properly submitted his access - and erasure requests ([[Article 15 GDPR|Articles 15]] and [[Article 17 GDPR|17 GDPR)]]. The DPA reaffirmed that [[Article 12 GDPR|Article 12(3) GDPR]] and [[Article 12 GDPR|Article 15(4) GDPR]] oblige the controller to provide the data subject with the requested information and remove its personal data within one month. This period can be extended with two additional months for complex requests. However, the controller has to notify and justify this extension to the data subject within the first month. If the controller is unable to follow up on the requests of the data subject, the controller still has to inform the data subject about their incapacity and inform the data subject about their right to file a complaint at the regulatory authority.  


The DPA holds that the controller breached [[Article 12 GDPR#3|Article 12(3) GDPR]], [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 17 GDPR#1|Article 17(1) GDPR]] by not responding to any request made by the data subject.  
The DPA held holds that the controller breached [[Article 12 GDPR|Articles 12(3) GDPR]], [[Article 15 GDPR|Article 15(1) GDPR]] and [[Article 17 GDPR|Article 17(1) GDPR]] by not responding to any request made by the data subject.


The DPA orders the controller to fulfill the data subject requests within 30 days. This order is based on article 95, § 1, 5° WOG (law establishing the Belgian DPA) and [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. This order is not a final decision in light of article 100 WOG but a decision in a procedure prior to the decision on the merits.
The DPA orders the controller to fulfill the data subject requests within 30 days. This order is based on Article 95, § 1, 5° WOG (law establishing the Belgian DPA) and [[Article 58 GDPR|Article 58(2)(c) GDPR]]. This order is not a final decision in light of article 100 WOG but a decision in a procedure prior to the decision on the merits.


== Comment ==
== Comment ==

Revision as of 11:11, 25 November 2022

APD/GBA - 160/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Article 17 GDPR
Article 17(1) GDPR
Wet tot oprichting Gegevensbeschermingsautoriteit
Type: Complaint
Outcome: Upheld
Started: 21.09.2022
Decided: 08.11.2022
Published: 24.11.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 160/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA ordered a controller to fulfill a data subject request. The controller did not respond to an access request (Article 15 GDPR) and  an erasure request (Article 17 GDPR), resulting in violations of Articles 12(3), 15(1) and 17(1) GDPR.

English Summary

Facts

The data subject was called multiple times by the controller, which used different phone numbers. These were national -, foreign - and anonymous numbers. The nature of the controller was not specified in the decision. The data subject asked the controller for a copy of his data (Article 15 GDPR) and asked the controller multiple times to remove his data (Article 17 GDPR). The data subject submitted the erasure requests both by e-mail and using the controller’s website. However, the controller never replied.

Holding

The DPA held that the data subject properly submitted his access - and erasure requests (Articles 15 and 17 GDPR). The DPA reaffirmed that Article 12(3) GDPR and Article 15(4) GDPR oblige the controller to provide the data subject with the requested information and remove its personal data within one month. This period can be extended with two additional months for complex requests. However, the controller has to notify and justify this extension to the data subject within the first month. If the controller is unable to follow up on the requests of the data subject, the controller still has to inform the data subject about their incapacity and inform the data subject about their right to file a complaint at the regulatory authority.

The DPA held holds that the controller breached Articles 12(3) GDPR, Article 15(1) GDPR and Article 17(1) GDPR by not responding to any request made by the data subject.

The DPA orders the controller to fulfill the data subject requests within 30 days. This order is based on Article 95, § 1, 5° WOG (law establishing the Belgian DPA) and Article 58(2)(c) GDPR. This order is not a final decision in light of article 100 WOG but a decision in a procedure prior to the decision on the merits.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/6







                                                                                   Litigation room



                                                     Decision 160/2022 of 8 November 2022



File number : DOS-2022-04158



Subject: Complaint due to insufficient follow-up to the right of inspection



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
sole chairman;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (general
Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;



Having regard to the rules of internal order, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                   .

The complainant: Mr X, hereinafter referred to as “the complainant”; .
                                                                                                   .

The defendant: Y, hereinafter “the defendant”. Decision 160/2022 - 2/6



I. Factual Procedure


    1. On 21 September 2022, the complainant submitted a complaint to the Data Protection Authority

        against the defendant.


        The complainant works in the IT sector and is regularly called by the

        controller, either via different (foreign) telephone numbers, or
        anonymously. The complainant indicates that he has already made several requests during these telephone conversations

        to delete his data, but this was never done. The complainant was allowed

        nor did we receive a response to the request for data erasure via the website or email

        regarding his data erasure request which he has sent directly to the

        data protection officer. On August 16, 2022, the complainant received another email

        a request for access in accordance with Article 15 GDPR and a request for data erasure
        in accordance with Article 17 GDPR addressed to the controller, to which he has no

        received a reply.


    2. On 12 October 2022, this complaint was declared admissible by the First Line Service on the basis of

        Articles 58 and 60 WOG and the complaint pursuant to Article 62, §1 WOG is transferred to
        the Disputes Chamber.


II. Motivation


    3. On the basis of the complaint and the enclosed supporting documents, the Disputes Chamber determines that the

        the complainant has properly exercised his right to erasure and right of access.


    4. With regard to the right of access, the Disputes Chamber refers to Article 15 GDPR. In accordance
        Article 15 GDPR, the data subject has the right to obtain a confirmation from the controller

        about whether or not personal data concerning him is being processed and, when

        that is the case, to obtain access to that personal data and to the following information:


        a) the processing purposes;

        b) the categories of personal data concerned;


        c) the recipients or categories of recipients to whom the personal data are or will be

        provided, in particular recipients in third countries or international organisations;

        d) if possible, the period during which the personal data is expected to be retained

        are stored, or if that is not possible, the criteria for determining that period;


        e) that the data subject has the right to request from the controller that
        personal data are rectified or erased, or that the processing concerns him

        personal data is restricted, as well as the right to object to that processing; Decision 160/2022 - 3/6



    f) that the data subject has the right to lodge a complaint with a supervisory authority;


    g) where the personal data is not collected from the data subject, all available

    information about the source of that data;


    h) the existence of automated decision-making, including those referred to in Article 22(1) and
    4, the profiling referred to, and, at least in those cases, useful information about the underlying

    logic, as well as the importance and expected consequences of that processing for the data subject.


5. Based on Article 17.1 GDPR, the data subject has the right of the controller

    to obtain the erasure of personal data concerning him without unreasonable delay.

6. Pursuant to Articles 12.3 and 12.4 GDPR, the controller shall inform the data subject within

    at the latest one month after receipt of the request for access to the requested information

    and to delete the personal data in question when requesting data erasure. In

    in the case of complex requests, this period can be extended by a further two months if necessary

    be extended. The controller shall inform the data subject within one month
    receipt of the request of such extension. When the

    controller does not comply with the request of the data subject, he shares it

    the latter without delay and at the latest within one month of receipt of the request why it

    request has not been acted upon, and informs him of the possibility of lodging a complaint

    to a supervisory authority and appeal to the courts.

7. Based on the complaint and the documents submitted by the complainant, the Disputes Chamber will determine

    that the complainant should not have received any reply from the controller

    to his request for inspection, nor to his request for data erasure, which constitutes an infringement

    to Article 12.3 GDPR, Article 15.1 GDPR and Article 17.1 GDPR.


8. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be
    concluded that the controller has committed a breach of the provisions of the

    GDPR was committed, which justifies taking a

    decision pursuant to Article 95, § 1, 5° WOG, in particular to order that the

    request of the complainant to exercise his rights, in particular the right of access (article 15.1

    AVG), and proceed to grant access to the relevant personal data and become

    complied with the request of the data subject to exercise his rights, in particular the right
    to data deletion (article 17.1 GDPR), and to delete the relevant data

    personal data.


9. The present decision is a prima facie decision taken by the Litigation Chamber

    in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of Decision 160/2022 - 4/6



                                                                                  1
          the “procedure prior to the decision on the merits” and no decision on the merits of the

          Disputes Chamber within the meaning of Article 100 WOG.


     10. The purpose of this decision is to inform the controller of the

          fact that it may have committed a breach of the provisions of the GDPR and put it in the

          possibility to still comply with the aforementioned provisions.


     11. However, if the controller does not agree with the content of this

          prima facie decision and considers that it may leave factual and/or legal arguments

          funds that could lead to a different decision, this can be done via the e-mail address


          litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the

          Litigation Chamber and this within the period of 30 days after notification of this decision. The

          enforcement of this decision will, if necessary, take place during the aforementioned period

          suspended.


     12. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber

          the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their

          submit defenses as well as attach any documents they deem useful to the file. The

          the present decision will, if necessary, be definitively suspended.


     13. The Disputes Chamber points out for the sake of completeness so that a hearing on the merits of the case can take place

                                                                                                  2
          lead to the imposition of the measures referred to in Article 100 WOG.


     14. Finally, the Disputes Chamber points out the following:







1Section 3, Subsection 2 WOG (Articles 94 through 97).
2Art. 100. § 1. The Litigation Chamber has the power to:

1° to dismiss a complaint;
2° to order the exclusion from prosecution;
3° order the suspension of the judgment;
4° propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° order that the data subject be informed of the security problem;
8° order that the processing be temporarily or permanently frozen, restricted or prohibited;

9° order that the processing be brought into compliance;
10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data
command;
11° order the withdrawal of the accreditation of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° order the suspension of cross-border data flows to another State or an international institution;

15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to
the file is given;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
§2.If, after application of §1,15°, the Public Prosecutor's Office decides not to institute criminal proceedings, an amicable settlement

or to propose mediation in criminal matters referred to in Article 216ter of the Code of Criminal Procedure, or when it
Public Prosecution Service has not taken a decision within a period of six months from the day of receipt of
the file, the Data Protection Authority decides whether the administrative procedure must be resumed. Decision 160/2022 - 5/6



        If one of the parties wishes to make use of the possibility to consult and

        copying the file (art. 95, § 2, 3° WOG), he must turn to the secretariat

        of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment

        to capture.

        If a copy of the file is requested, the documents will be sent electronically if possible

        or otherwise delivered by regular mail.



III. Publication of the decision


    15. Given the importance of transparency with regard to decision-making by the

        Litigation Chamber, this decision will be published on the website of the

        Data Protection Authority. However, it is not necessary for this to include the identification data

        of the parties are disclosed directly.




FOR THESE REASONS,

the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
    1. pursuant to Article 58.2, c) GDPR and Article 95, §1, 5° WOG order the defendant that

        the request of the data subject to exercise his rights is complied with, more

        determines the right of inspection (article 15.1 AVG), and to grant access to

        the relevant personal data, and this within a period of 30 days, counting from

        notification of this decision

    2. pursuant to Article 58.2, c) GDPR and Article 95, §1, 5° WOG order the defendant that

        the request of the data subject to exercise his rights is complied with, more

Hielke Hijmansd has the right to erasure (article 17.1 GDPR), and to delete the

Chairman of the personal data, and this within a period of 30 days from the

        notification of this decision;

    3. order the defendant to the Data Protection Authority (Litigation Chamber) by e-mail

        to be informed within the same period of the effect of this decision

        given via the e-mail address litigationchamber@apd-gba.be; and

    4. in the absence of the timely implementation of the above by the defendant, the case

        to be dealt with on the merits ex officio in accordance with Articles 98 et seq. of the WOG. Decision 160/2022 - 6/6




Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification

this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the

Data Protection Authority as defendant.


Such an appeal may be lodged by means of an inter partes petition that the in art

                                                                                                 3
1034terofthe Judicial Codemustcontainenumeratedenumerations.

contradictions must be submitted to the Registry of the Market Court in accordance with Article

1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of

the Ger.W.).












(get). Hielke HIJMANS

Chairman of the Litigation Chamber






































3 The petition states, under penalty of nullity:

 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     enterprise number;
 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer.

4 The petition with its annex is sent by registered letter in as many copies as there are parties involved
the clerk of the court or deposited at the clerk's office.