APD/GBA (Belgium) - 04/2023: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 74: Line 74:
The data subject requested the controller to remove his e-mail adress from its address list. The controller stated it was not able erase the data subject's e-mail address because this e-mail address was not included in the controller's list in the first place, according to the controller. The controller asked the data subject if he maybe had another e-mail address, that was coupled to the one the data subject was using currently. This coupling of e-mail addresses could potentially result in any e-mail that was received by this 'middle man' email-address being forwarded to the data subject's current e-mail address. That could potentially explain why the data subject was receiveing e-mails on his current e-mail, while this current e-mail was not included in the controller's mailing list.   
The data subject requested the controller to remove his e-mail adress from its address list. The controller stated it was not able erase the data subject's e-mail address because this e-mail address was not included in the controller's list in the first place, according to the controller. The controller asked the data subject if he maybe had another e-mail address, that was coupled to the one the data subject was using currently. This coupling of e-mail addresses could potentially result in any e-mail that was received by this 'middle man' email-address being forwarded to the data subject's current e-mail address. That could potentially explain why the data subject was receiveing e-mails on his current e-mail, while this current e-mail was not included in the controller's mailing list.   


The data subject stated that he could not answer this question of the controller because the controller used the 'BCC' feature for sending its marketing e-mails, which made it impossible for the recipient of an e-mail to see other recipients of the same e-mail. It was therefore not possible for the data subject to verify if another of his current adress was included in the controller's list of recipients. This resulted in a situation where both the data subject and the controller were not able to identify the respective e-mail address used by the controller for its direct marketing. 
The data subject stated that he could not answer this question of the controller because the controller used the 'BCC' feature for sending its marketing e-mails, which made it impossible for the recipient of an e-mail to see other recipients of the same e-mail. It was therefore not possible for the data subject to verify if another of his e-mail adresses was included in the controller's list of recipients.  


The data subject kept receiving direct marketing after this exchange with the controller on his current e-mail address.  
The data subject kept receiving direct marketing after this exchange with the controller on his current e-mail address.  


The data subject filed a complaint at the Belgian DPA at 6 January 2023, because the controller did not comply with his erasure request.  
The data subject filed a complaint at the Belgian DPA at 6 January 2023, because the controller could not comply with his erasure request.  


=== Holding ===
=== Holding ===

Revision as of 14:30, 31 January 2023

APD/GBA - 04/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 12(2) GDPR
Article 17(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 06.01.2023
Decided: 25.01.2023
Published: 27.01.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 04/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The DPA determined that the controller breached Article 5(2) GDPR, Article 12(2) GDPR and Article 17(1) GDPR, because it was unable to the data subject's e-mail from its e-mail list. The DPA ordered the controller to comply with the erasure request pursuant of Article 58(2)(c) GDPR.

English Summary

Facts

The data subject requested the controller to erase his e-mail address, because he kept receiving unwanted marketing emails from the controller. The nature of the controller was not specified in this decision.

The data subject requested the controller to remove his e-mail adress from its address list. The controller stated it was not able erase the data subject's e-mail address because this e-mail address was not included in the controller's list in the first place, according to the controller. The controller asked the data subject if he maybe had another e-mail address, that was coupled to the one the data subject was using currently. This coupling of e-mail addresses could potentially result in any e-mail that was received by this 'middle man' email-address being forwarded to the data subject's current e-mail address. That could potentially explain why the data subject was receiveing e-mails on his current e-mail, while this current e-mail was not included in the controller's mailing list.

The data subject stated that he could not answer this question of the controller because the controller used the 'BCC' feature for sending its marketing e-mails, which made it impossible for the recipient of an e-mail to see other recipients of the same e-mail. It was therefore not possible for the data subject to verify if another of his e-mail adresses was included in the controller's list of recipients.

The data subject kept receiving direct marketing after this exchange with the controller on his current e-mail address.

The data subject filed a complaint at the Belgian DPA at 6 January 2023, because the controller could not comply with his erasure request.

Holding

The DPA confirmed that the data subject correctly exercised his right to erasure. It also reiterated that the controller had explicitlely stated that it had been unable to delete the e-mail address of the data subject from its address list. Thus, the DPA determined that the controller did not fulfil the principle of accountability under Article 5(2) GDPR, because it did not show that it had could comply with the data subject's erasure request and was also unable to show that it facilitated the exercise of data subject's rights in Articles 15 - 22 GDPR, in this case, the right of erasure.

The DPA held that a by not granting the request to erasure, the controller had violated Articles 5(2) GDPR, 12(2) GDPR and 17(1) GDPR.

The DPA also determined that the controller's action of asking the data subject for additional email addresses violated Article 5(1)(c) GDPR, the principle of data minimization. A controller had to be able to erase personal data from its database without asking additional e-mail addresses of data subjects. However, the DPA also confirmed that the controller's practice of sending mails using the 'BCC' feature was in line with the data minimisation principle, because this made it possible to e-mail different recipients without disclosing the identities of all recipients in the e-mail.

The DPA ordered the controller to comply with the erasure request pursuant of Article 58(2)(c) GDPR.

Comment

This was a preliminary (prima facie) decision according to Article 95 WOG, prior to a decision on the merits.

The decision incorrectly refers to Article 5(c) GDPR instead of Article 5(1)(c) GDPR in point 5.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/7







                                                                                   Litigation room



                                                         Decision 04/2023 of 25 January 2023





File number : DOS-2023-00161



Subject : Refusal to comply with data erasure request




The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

sole chairman;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (general

Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the rules of internal order, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                   .
The complainant: Mr X, hereinafter referred to as “the complainant”; .

                                                                                                   .

The controller: Y, hereinafter “the controller” Substantive decision 04/2023 - 2/7




I. Factual Procedure




    1. On January 6, 2023, the complainant filed a complaint with the Data Protection Authority against the

        controller.


    2. The object of the complaint concerns the lack of appropriate action on the part of the

        controller at the request of the complainant to erase his

        personal data, in particular his e-mail address which is provided by the controller

        is used to send the complainant unsolicited advertising. The complainant indicates that he

        repeatedly requested that data be erased. The

        controller has responded to this by indicating that the e-mail address

        with which the complainant addresses the controller with the request for deletion,

        being the address […], is not included in his listing/address list. This has led to the

        controller requested the complainant to indicate whether he has any other concerns

        has an email address associated with […]. The complainant then argued that the unwanted e-mails were passed on

        be sent to the controller in "bcc", so that the complainant cannot

        answers to this. Notwithstanding the complainant's repeated request to erase its

        e-mail address in order to stop receiving unwanted advertising messages, remains the complainant

        however, unwanted direct marketing e-mails from the controller

        receive.


    3. On January 11, 2023, the complaint will be declared admissible by the First Line Service on the basis of

        Articles 58 and 60 WOG and the complaint is based on art. 62, §1 WOG transferred to the
        Litigation room.


II. Motivation



    4. The Disputes Chamber determines on the basis of the documents that support the complaint that the complainant is entitled

        has exercised on data erasure, but the controller has failed to do so

        to follow it up appropriately. As a result, the controllers acted in
                            1 2 3
        contravenes Articles 5.2 and 12.2 GDPR, as well as Article 17.1 GDPR.




1 Article 5.2 GDPR. The controller is responsible for and can demonstrate compliance with paragraph 1
(“accountability”).

2Article 12 GDPR
[…]

2. The controller shall facilitate the exercise of the data subject's rights under Articles 15 to
22. In the cases referred to in Article 11(2), the controller may not refuse to comply with the request of
the data subject to exercise his or her rights under Articles 15 to 22, unless the controller demonstrates
that he is unable to identify the person concerned.
[…]

3Article 17 GDPR Substantive decision 04/2023 - 3/7




        expressly to not be able to delete the e-mail address via which

        the complainant receives the unwanted direct marketing messages. This means that the

        controller does not have the accountability obligation as stipulated in Article 5.2 GDPR

        complies, as the controller fails to demonstrate appropriate

        to comply with the request of the complainant and to be able to exercise his right to

        data erasure (article 17.1 GDPR), notwithstanding the obligation of the

        controller to facilitate the exercise of the rights of the

        data subject pursuant to Articles 15 to 22 GDPR, in this case the right of the complainant

        on data erasure.


    5. Although the sending of advertising messages by the controller through

        of e-mail where the recipients are listed in "bcc", making them unknown to each other

        remain in line with the data minimization principle (Article 5.c)

        GDPR), the controller does not act in accordance with this principle

        moment that other e-mail addresses available to the complainant are requested in order to

        may proceed to remove the e-mail address that, if necessary, leads to the complainant

        receive unwanted messages. In order to facilitate the exercise of rights, the

        controller in a system without compromising the principle of

        minimal data processing is ignored. The controller thus submits

        to be able to delete the e-mail address that gave rise to the unwanted

        mailings without the complainant having to provide additional e-mail addresses.













1. The data subject shall have the right of the controller to erase his data without undue delay
obtain personal data and the controller is obliged to erase personal data without undue delay
when one of the following applies:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2);
and there is no other legal basis for the processing;

c) the data subject objects to the processing in accordance with Article 21(1) and there are no overriding compelling
legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article 21(2);
d) the personal data have been processed unlawfully;

e) the personal data must be erased to comply with a legal requirement laid down in Union or Member State law
obligation incumbent on the controller;
f) the personal data have been collected in connection with the offer of information society services as referred to in Article 8 paragraph
1.

4See Recital 59 GDPR. Arrangements should be in place to enable the data subject to exercise his rights under these
Regulation, such as mechanisms to request, in particular, access to, rectification or erasure of
personal data and, if applicable, to obtain it free of charge, as well as to exercise the right to object. The
controller should also provide means to submit requests electronically, especially when personal data
be processed electronically.

[…] Decision on the substance 04/2023 - 4/7




    6. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be

        concluded that the controller has committed a breach of the provisions of the

        GDPR was committed, which justifies taking a
        decision pursuant to Article 95, §1, 5° WOG, more specifically the controller in

        order to comply with the exercise by the bearer of his right to data erasure

        (Article 17.1 GDPR) and this in particular in view of the documents submitted by the complainant

        it appears that the complainant has requested the controller to proceed with the

        deletion of his data, without appropriate action being taken by the

        controller.


    7. This decision is a prima facie decision taken by the Litigation Chamber

        in accordance with Article 95 WOG on the basis of the complaint submitted by the complainant, in the context of
                                                                 5
        the 'procedure prior to the decision on the merits' and no decision on the merits of the
        Disputes Chamber within the meaning of Article 100 WOG.


    8. The purpose of this decision is to inform the controller of the

        fact that it may have committed a breach of the provisions of the GDPR and put it in the

        possibility to still comply with the aforementioned provisions.


    9. However, if the controller does not agree with the content of this

        prima facie decision and considers that it may leave factual and/or legal arguments

        funds that could lead to a different decision, this can be done via the e-mail address
        litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the

        Litigation Chamber and this within the period of 30 days after notification of this decision. The

        enforcement of this decision will, if necessary, take place during the aforementioned period

        suspended.


    10. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber

        the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their

        submit defenses as well as attach any documents they deem useful to the file. The

        the present decision will, if necessary, be definitively suspended.

















5Section 3, Subsection 2 WOG (Articles 94 to 97 inclusive). Decision on the substance 04/2023 - 5/7




     11. The Disputes Chamber points out for the sake of completeness that a treatment on the merits of the case is possible
                                                                                               6
         lead to the imposition of the measures referred to in Article 100 WOG.


     12. Finally, the Disputes Chamber points out the following:


         If one of the parties wishes to make use of the possibility to consult and

         copying the file (art. 95, §2, 3° WOG), he must turn to the secretariat

         of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment

         to capture.



     13. If a copy of the file is requested, the documents will be sent electronically if possible

         or otherwise delivered by regular mail. 7





III. Publication of the decision




     14. Given the importance of transparency with regard to decision-making by the

         Litigation Chamber, this decision will be published on the website of the

         Data Protection Authority. However, it is not necessary for this to include the identification data


         of the parties are disclosed directly.















6
 1° to dismiss a complaint;
 2° to order the exclusion of prosecution;
 3° order the suspension of the judgment;
 4° propose a settlement;
 5° formulate warnings and reprimands;
 6° order that the data subject's requests to exercise his rights be complied with;
 7° order that the data subject be informed of the security problem;
 8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
 9° order that the processing be brought into compliance;

 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data
command;
 11° to order the withdrawal of the accreditation of certification bodies;
 12° to impose penalty payments;
 13° to impose administrative fines;
 14° order the suspension of cross-border data flows to another State or an international institution;
 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the
file is given;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.

7 Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the
Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision on the substance 04/2023 - 6/7








   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decides, subject to the

   submission of a request by the controller for treatment on the merits

   in accordance with Article 98 et seq. WOG, to:



   - on the basis of Article 58.2, c) GDPR and Article 95, § 1, 5 ° WOG, the controller

      order that the data subject's request to exercise his rights be complied with, more
      stipulates the right to erasure (article 17.1 GDPR), and to delete the

      concerning personal data, and this within a period of 30 days from the

      notification of this decision;



   - to order the controller to notify the Data Protection Authority

      (Dispute Chamber) by e-mail within the same term of the result

      of this decision via the e-mail address litigationchamber@apd-gba.be; and



   - in the absence of timely implementation of the above by the

      controller, to handle the case ex officio on the merits in accordance with

      articles 98 et seq. WOG.








Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification

this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the

Data Protection Authority as defendant.

Such an appeal may be lodged by means of an inter partes petition that the in art

1034terofthe Judicial Codemustcontainenumeratedenumerations.

contradictions must be submitted to the Registry of the Market Court in accordance with Article







8
 The petition states under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    enterprise number;
 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer. Substantive decision 04/2023 - 7/7




1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of

the Ger.W.).







(get). Hilke Hijmans


Chairman of the Litigation Chamber




































































9 The petition with its annex, in as many copies as there are parties involved, is sent by registered letter to the
clerk of the court or deposited with the clerk of the court.