APD/GBA (Belgium) - 04/2023: Difference between revisions
No edit summary |
No edit summary |
||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA determined that | The DPA determined that the controller breached [[Article 5 GDPR#2|Article 5(2) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]] and [[Article 17 GDPR#1|Article 17(1) GDPR]], because it was unable to erase personal data from its database. The DPA ordered the controller to comply with the request pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject requested the controller to erase his personal data, specifically his e-mail address, according to [[Article 17 GDPR#1|Article 17(1) GDPR]] | The data subject requested the controller to erase his personal data, specifically his e-mail address, according to [[Article 17 GDPR#1|Article 17(1) GDPR]]. The data subject kept receiving direct marketing messages from the controller (nature not specified). The data subject was not able to reply to these e-mails because the controller send its e-mails using the "BCC" feature, which hides the e-mail addresses of all recipients of an e-mail. | ||
The controller stated it was not able | The controller stated it was not able erase the personal data because the data subject's e-mail address was not included in the controller's database, according to the controller. The controller also asked the data subject if he had any other email addresses in order to verify if those were included in the controller's database. The data subject kept receiving direct marketing after this exchange. | ||
The data subject filed a complaint at the Belgian DPA at 6 January 2023, because the controller did not comply with his erasure request. | The data subject filed a complaint at the Belgian DPA at 6 January 2023, because the controller did not comply with his erasure request. | ||
=== Holding === | === Holding === | ||
The DPA confirmed that the data subject correctly exercised his right to erasure. The controller had stated that it had been unable to delete the e-mail address of the data subject from its database. Thus, the DPA determined that the controller did not fulfil the principle of accountability under [[Article 5 GDPR#2|Article 5(2) GDPR]], because it could not show that it had | The DPA confirmed that the data subject correctly exercised his right to erasure. The controller had stated that it had been unable to delete the e-mail address of the data subject from its database. Thus, the DPA determined that the controller did not fulfil the principle of accountability under [[Article 5 GDPR#2|Article 5(2) GDPR]], because it could not show that it had could comply with the data subject's erasure request and was also unable to show that it facilitated the exercise of data subject's rights in [[Article 15 GDPR|Articles 15]] - [[Article 22 GDPR|22 GDPR]], in this case, the right of erasure. | ||
The DPA held that a by not granting the request to erasure, the controller had violated [[Article 5 GDPR#2|Articles 5(2) GDPR]], [[Article 12 GDPR#2|12(2) GDPR]] and [[Article 17 GDPR#1|17(1) GDPR]]. | The DPA held that a by not granting the request to erasure, the controller had violated [[Article 5 GDPR#2|Articles 5(2) GDPR]], [[Article 12 GDPR#2|12(2) GDPR]] and [[Article 17 GDPR#1|17(1) GDPR]]. | ||
The DPA also determined that the controller's action of asking the data subject for additional email addresses violated the data minimisation principle of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. A controller had to be able to erase personal data from its database without asking additional mail addresses of data subjects. | The DPA also determined that the controller's action of asking the data subject for additional email addresses violated the data minimisation principle of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. A controller had to be able to erase personal data from its database without asking additional e-mail addresses of data subjects. However, the DPA also confirmed that the controller's practice of sending mails using the 'BCC' feature was in line with the data minimisation principle, because this made it possible to send e-mail to different recipients without disclosing the identities of these recipients in the e-mail. | ||
The DPA ordered the controller to comply with the request pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. | |||
== Comment == | == Comment == |
Revision as of 08:49, 31 January 2023
APD/GBA - 04/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 5(2) GDPR Article 12(2) GDPR Article 17(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 06.01.2023 |
Decided: | 25.01.2023 |
Published: | 27.01.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 04/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The DPA determined that the controller breached Article 5(2) GDPR, Article 12(2) GDPR and Article 17(1) GDPR, because it was unable to erase personal data from its database. The DPA ordered the controller to comply with the request pursuant of Article 58(2)(c) GDPR.
English Summary
Facts
The data subject requested the controller to erase his personal data, specifically his e-mail address, according to Article 17(1) GDPR. The data subject kept receiving direct marketing messages from the controller (nature not specified). The data subject was not able to reply to these e-mails because the controller send its e-mails using the "BCC" feature, which hides the e-mail addresses of all recipients of an e-mail.
The controller stated it was not able erase the personal data because the data subject's e-mail address was not included in the controller's database, according to the controller. The controller also asked the data subject if he had any other email addresses in order to verify if those were included in the controller's database. The data subject kept receiving direct marketing after this exchange.
The data subject filed a complaint at the Belgian DPA at 6 January 2023, because the controller did not comply with his erasure request.
Holding
The DPA confirmed that the data subject correctly exercised his right to erasure. The controller had stated that it had been unable to delete the e-mail address of the data subject from its database. Thus, the DPA determined that the controller did not fulfil the principle of accountability under Article 5(2) GDPR, because it could not show that it had could comply with the data subject's erasure request and was also unable to show that it facilitated the exercise of data subject's rights in Articles 15 - 22 GDPR, in this case, the right of erasure.
The DPA held that a by not granting the request to erasure, the controller had violated Articles 5(2) GDPR, 12(2) GDPR and 17(1) GDPR.
The DPA also determined that the controller's action of asking the data subject for additional email addresses violated the data minimisation principle of Article 5(1)(c) GDPR. A controller had to be able to erase personal data from its database without asking additional e-mail addresses of data subjects. However, the DPA also confirmed that the controller's practice of sending mails using the 'BCC' feature was in line with the data minimisation principle, because this made it possible to send e-mail to different recipients without disclosing the identities of these recipients in the e-mail.
The DPA ordered the controller to comply with the request pursuant of Article 58(2)(c) GDPR.
Comment
This was a preliminary (Prima Facie) decision according to Article 95 WOG, prior to a decision on the merits.
The decision incorrectly refers to Article 5(c) GDPR instead of Article 5(1)(c) GDPR in point 5.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7 Litigation room Decision 04/2023 of 25 January 2023 File number : DOS-2023-00161 Subject : Refusal to comply with data erasure request The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mr X, hereinafter referred to as “the complainant”; . . The controller: Y, hereinafter “the controller” Substantive decision 04/2023 - 2/7 I. Factual Procedure 1. On January 6, 2023, the complainant filed a complaint with the Data Protection Authority against the controller. 2. The object of the complaint concerns the lack of appropriate action on the part of the controller at the request of the complainant to erase his personal data, in particular his e-mail address which is provided by the controller is used to send the complainant unsolicited advertising. The complainant indicates that he repeatedly requested that data be erased. The controller has responded to this by indicating that the e-mail address with which the complainant addresses the controller with the request for deletion, being the address […], is not included in his listing/address list. This has led to the controller requested the complainant to indicate whether he has any other concerns has an email address associated with […]. The complainant then argued that the unwanted e-mails were passed on be sent to the controller in "bcc", so that the complainant cannot answers to this. Notwithstanding the complainant's repeated request to erase its e-mail address in order to stop receiving unwanted advertising messages, remains the complainant however, unwanted direct marketing e-mails from the controller receive. 3. On January 11, 2023, the complaint will be declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is based on art. 62, §1 WOG transferred to the Litigation room. II. Motivation 4. The Disputes Chamber determines on the basis of the documents that support the complaint that the complainant is entitled has exercised on data erasure, but the controller has failed to do so to follow it up appropriately. As a result, the controllers acted in 1 2 3 contravenes Articles 5.2 and 12.2 GDPR, as well as Article 17.1 GDPR. 1 Article 5.2 GDPR. The controller is responsible for and can demonstrate compliance with paragraph 1 (“accountability”). 2Article 12 GDPR […] 2. The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller may not refuse to comply with the request of the data subject to exercise his or her rights under Articles 15 to 22, unless the controller demonstrates that he is unable to identify the person concerned. […] 3Article 17 GDPR Substantive decision 04/2023 - 3/7 expressly to not be able to delete the e-mail address via which the complainant receives the unwanted direct marketing messages. This means that the controller does not have the accountability obligation as stipulated in Article 5.2 GDPR complies, as the controller fails to demonstrate appropriate to comply with the request of the complainant and to be able to exercise his right to data erasure (article 17.1 GDPR), notwithstanding the obligation of the controller to facilitate the exercise of the rights of the data subject pursuant to Articles 15 to 22 GDPR, in this case the right of the complainant on data erasure. 5. Although the sending of advertising messages by the controller through of e-mail where the recipients are listed in "bcc", making them unknown to each other remain in line with the data minimization principle (Article 5.c) GDPR), the controller does not act in accordance with this principle moment that other e-mail addresses available to the complainant are requested in order to may proceed to remove the e-mail address that, if necessary, leads to the complainant receive unwanted messages. In order to facilitate the exercise of rights, the controller in a system without compromising the principle of minimal data processing is ignored. The controller thus submits to be able to delete the e-mail address that gave rise to the unwanted mailings without the complainant having to provide additional e-mail addresses. 1. The data subject shall have the right of the controller to erase his data without undue delay obtain personal data and the controller is obliged to erase personal data without undue delay when one of the following applies: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (b) the data subject withdraws the consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2); and there is no other legal basis for the processing; c) the data subject objects to the processing in accordance with Article 21(1) and there are no overriding compelling legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article 21(2); d) the personal data have been processed unlawfully; e) the personal data must be erased to comply with a legal requirement laid down in Union or Member State law obligation incumbent on the controller; f) the personal data have been collected in connection with the offer of information society services as referred to in Article 8 paragraph 1. 4See Recital 59 GDPR. Arrangements should be in place to enable the data subject to exercise his rights under these Regulation, such as mechanisms to request, in particular, access to, rectification or erasure of personal data and, if applicable, to obtain it free of charge, as well as to exercise the right to object. The controller should also provide means to submit requests electronically, especially when personal data be processed electronically. […] Decision on the substance 04/2023 - 4/7 6. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be concluded that the controller has committed a breach of the provisions of the GDPR was committed, which justifies taking a decision pursuant to Article 95, §1, 5° WOG, more specifically the controller in order to comply with the exercise by the bearer of his right to data erasure (Article 17.1 GDPR) and this in particular in view of the documents submitted by the complainant it appears that the complainant has requested the controller to proceed with the deletion of his data, without appropriate action being taken by the controller. 7. This decision is a prima facie decision taken by the Litigation Chamber in accordance with Article 95 WOG on the basis of the complaint submitted by the complainant, in the context of 5 the 'procedure prior to the decision on the merits' and no decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. 8. The purpose of this decision is to inform the controller of the fact that it may have committed a breach of the provisions of the GDPR and put it in the possibility to still comply with the aforementioned provisions. 9. However, if the controller does not agree with the content of this prima facie decision and considers that it may leave factual and/or legal arguments funds that could lead to a different decision, this can be done via the e-mail address litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the Litigation Chamber and this within the period of 30 days after notification of this decision. The enforcement of this decision will, if necessary, take place during the aforementioned period suspended. 10. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their submit defenses as well as attach any documents they deem useful to the file. The the present decision will, if necessary, be definitively suspended. 5Section 3, Subsection 2 WOG (Articles 94 to 97 inclusive). Decision on the substance 04/2023 - 5/7 11. The Disputes Chamber points out for the sake of completeness that a treatment on the merits of the case is possible 6 lead to the imposition of the measures referred to in Article 100 WOG. 12. Finally, the Disputes Chamber points out the following: If one of the parties wishes to make use of the possibility to consult and copying the file (art. 95, §2, 3° WOG), he must turn to the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment to capture. 13. If a copy of the file is requested, the documents will be sent electronically if possible or otherwise delivered by regular mail. 7 III. Publication of the decision 14. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for this to include the identification data of the parties are disclosed directly. 6 1° to dismiss a complaint; 2° to order the exclusion of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data command; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 7 Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision on the substance 04/2023 - 6/7 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, subject to the submission of a request by the controller for treatment on the merits in accordance with Article 98 et seq. WOG, to: - on the basis of Article 58.2, c) GDPR and Article 95, § 1, 5 ° WOG, the controller order that the data subject's request to exercise his rights be complied with, more stipulates the right to erasure (article 17.1 GDPR), and to delete the concerning personal data, and this within a period of 30 days from the notification of this decision; - to order the controller to notify the Data Protection Authority (Dispute Chamber) by e-mail within the same term of the result of this decision via the e-mail address litigationchamber@apd-gba.be; and - in the absence of timely implementation of the above by the controller, to handle the case ex officio on the merits in accordance with articles 98 et seq. WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as defendant. Such an appeal may be lodged by means of an inter partes petition that the in art 1034terofthe Judicial Codemustcontainenumeratedenumerations. contradictions must be submitted to the Registry of the Market Court in accordance with Article 8 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. Substantive decision 04/2023 - 7/7 1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of the Ger.W.). (get). Hilke Hijmans Chairman of the Litigation Chamber 9 The petition with its annex, in as many copies as there are parties involved, is sent by registered letter to the clerk of the court or deposited with the clerk of the court.