APD/GBA (Belgium) - 09/2023: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 63: | Line 63: | ||
}} | }} | ||
The DPA determined that the controller violated [[Article 12 GDPR#3| | The DPA determined that the controller violated [[Article 12 GDPR#3|Articles 12(3)]], [[Article 12 GDPR#4|12(4)]] and [[Article 17 GDPR#1|17(1) GDPR]] by not taking the necessary steps to remove the data subject's e-mail from its mailing list. The DPA ordered the controller to comply with the erasure request pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
As a result of receiving unsolicited advertising by e-mail sent by the controller, the data subject requested the controller on 9 November 2022 and 2 weeks later again to remove his e-mail address from its address list. | As a result of receiving unsolicited advertising by e-mail sent by the controller, the data subject requested the controller on 9 November 2022 and 2 weeks later again to remove his e-mail address from its address list. Notwithstanding the controller's answer announcing necessary steps would have been taken in order to remove the e-mail address from the list, the data subject received unsolicited advertising by e-mail on 16 January 2023. The data subject filed a complaint with the Belgian Data Protection Authority claiming lack of appropriate action following receipt of the erasure request. | ||
Notwithstanding the answer | |||
The data subject filed a complaint with the | |||
=== Holding === | === Holding === | ||
The complaint showed that the data subject had correctly exercised his right to erasure. Despite the controller's announcement, according to which appropriate measure would have been taken to remove the data subject's email address from its marketing list, no concrete follow-up action had been taken. In fact, the data subject had received another marketing email. The DPA concluded the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]], [[Article 12 GDPR#4|12(4) GDPR]] and [[Article 17 GDPR#1|Article 17(1) GDPR]] and ordered it to comply with the erasure request within a timeframe of 30 days from the notification of its decision pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. | |||
== Comment == | == Comment == | ||
This was a preliminary (prima facie) decision according to Article 95 WOG, prior to a decision on the merits. | This was a preliminary (prima facie) decision according to Article 95 WOG, prior to a decision on the merits. Taking into account the importance, the decision has been published on the website of the Data Protection Authority while it is not necessary for this to include the identification data of the parties. | ||
Taking into account the importance, the decision has been published on the website of the Data Protection Authority while it is not necessary for this to include the identification data of the parties. | |||
== Further Resources == | == Further Resources == |
Revision as of 16:22, 14 February 2023
APD/GBA - 09/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 17(1) GDPR Article 58(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.02.2023 |
Published: | 10.02.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 09/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Decision 09/2023 (in NL) |
Initial Contributor: | Matthias Smet |
The DPA determined that the controller violated Articles 12(3), 12(4) and 17(1) GDPR by not taking the necessary steps to remove the data subject's e-mail from its mailing list. The DPA ordered the controller to comply with the erasure request pursuant of Article 58(2)(c) GDPR.
English Summary
Facts
As a result of receiving unsolicited advertising by e-mail sent by the controller, the data subject requested the controller on 9 November 2022 and 2 weeks later again to remove his e-mail address from its address list. Notwithstanding the controller's answer announcing necessary steps would have been taken in order to remove the e-mail address from the list, the data subject received unsolicited advertising by e-mail on 16 January 2023. The data subject filed a complaint with the Belgian Data Protection Authority claiming lack of appropriate action following receipt of the erasure request.
Holding
The complaint showed that the data subject had correctly exercised his right to erasure. Despite the controller's announcement, according to which appropriate measure would have been taken to remove the data subject's email address from its marketing list, no concrete follow-up action had been taken. In fact, the data subject had received another marketing email. The DPA concluded the controller violated Article 12(3) GDPR, 12(4) GDPR and Article 17(1) GDPR and ordered it to comply with the erasure request within a timeframe of 30 days from the notification of its decision pursuant of Article 58(2)(c) GDPR.
Comment
This was a preliminary (prima facie) decision according to Article 95 WOG, prior to a decision on the merits. Taking into account the importance, the decision has been published on the website of the Data Protection Authority while it is not necessary for this to include the identification data of the parties.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6 Litigation room Decision 09/2023 of February 9, 2023 File number : DOS-2023-00339 Subject : Refusal to comply with the data erasure request The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mr X, hereinafter referred to as “the complainant”; . . The controller: Y, hereinafter “the controller” Decision 09/2023 - 2/6 I. Factual Procedure 1. On 16 January 2023, the complainant filed a complaint with the Data Protection Authority against the controller. 2. The object of the complaint concerns the lack of appropriate action on the part of the controller at the request of the complainant to erase his personal data, in particular his email address […], which is provided by the the controller is used to send the customer unsolicited advertising. The complainant requested that data be erased on 9 November 2022 and again on November 14, 2022. Notwithstanding the confirmation of the controller that the necessary action is taken, the complainant will be informed again on 16 January 2023 unsolicited advertising by e-mail from the controller. 3. On January 31, 2023, the complaint will be declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is based on art. 62, §1 WOG transferred to the Litigation room. II. Motivation 4. The Disputes Chamber determines on the basis of the documents that support the complaint that the complainant is entitled has exercised on data erasure, but the controller has failed to do so to follow it up. As a result, the controller has acted in violation of Article 12.3 and 12.4 GDPR, as well as Article 17.1 GDPR. 2 1 Article 12 GDPR […] 3. The controller shall provide the data subject without undue delay and in any event within one month of receipt of the request information on the action taken on the request under Articles 15 to 22. Depending on the complexity of the requests and the number of requests, that period may be extended by a further two months if necessary. The The controller shall inform the data subject of such an extension within one month of receipt of the request. When the data subject submits his request electronically, the information shall be provided electronically if possible, unless the data subject otherwise requests. 4. Where the controller does not comply with the request of the data subject, it shall inform the data subject without undue delay and no later than one month after receipt of the request why the request has not been acted upon, and informs him about this the possibility to lodge a complaint with a supervisory authority and to appeal to the courts. […] 2Article 17 GDPR 1. The data subject shall have the right of the controller to erase his data without undue delay obtain personal data and the controller is obliged to erase personal data without undue delay when one of the following applies: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (b) the data subject withdraws the consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2); and there is no other legal basis for the processing; Decision 09/2023 - 3/6 5. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be concluded that the controller has committed a breach of the provisions of the GDPR was committed, which justifies taking a decision pursuant to Article 95, §1, 5° WOG, more specifically the controller in order to comply with the exercise by the bearer of his right to data erasure (Article 17.1 GDPR) and this in particular in view of the documents submitted by the complainant it appears that the complainant has requested the controller to proceed with the deletion of his data, without appropriate action being taken by the controller. 6. The present decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of 3 the 'procedure prior to the decision on the merits' and no decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. 7. The purpose of this decision is to inform the controller of the fact that it may have committed a breach of the provisions of the GDPR and put it in the possibility to still comply with the aforementioned provisions. 8. However, if the controller does not agree with the contents of this prima facie decision and considers that it may leave factual and/or legal arguments funds that could lead to a different decision, this can be done via the e-mail address litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the Litigation Chamber and this within the period of 30 days after notification of this decision. The enforcement of this decision will, if necessary, take place during the aforementioned period suspended. c) the data subject objects to the processing in accordance with Article 21(1) and there are no overriding compelling legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article 21(2); d) the personal data have been processed unlawfully; e) the personal data must be erased to comply with a legal requirement laid down in Union or Member State law obligation incumbent on the controller; f) the personal data have been collected in connection with the offer of information society services as referred to in Article 8 paragraph 1. 3Section 3, Subsection 2 WOG (Articles 94 to 97 inclusive). Decision 09/2023 - 4/6 9. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their submit defenses as well as attach any documents they deem useful to the file. The the present decision will, if necessary, be definitively suspended. 10. The Disputes Chamber points out for the sake of completeness that a treatment on the merits of the case is possible 4 lead to the imposition of the measures referred to in Article 100 WOG. 11. Finally, the Disputes Chamber points out the following: 12. If one of the two parties wishes to make use of the possibility to consult and copying the file (art. 95, §2, 3° WOG), he must turn to the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment to capture. 13. If a copy of the file is requested, the documents will be sent electronically if possible 5 or otherwise delivered by regular mail. 4 1° to dismiss a complaint; 2° to order the exclusion of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data command; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 5 Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision 09/2023 - 5/6 III. Publication of the decision 14. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for this to include the identification data of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, subject to the submission of a request by the controller for treatment on the merits in accordance with Article 98 et seq. WOG, to: - on the basis of Article 58.2, c) GDPR and Article 95, § 1, 5 ° WOG, the controller order that the data subject's request to exercise his rights be complied with, more stipulates the right to erasure (article 17.1 GDPR), and to delete the concerning personal data, and this within a period of 30 days from the notification of this decision; - to order the controller to notify the Data Protection Authority (Dispute Chamber) by e-mail within the same term of the result of this decision via the e-mail address litigationchamber@apd-gba.be; and - in the absence of timely implementation of the above by the controller, to handle the case ex officio on the merits in accordance with articles 98 et seq. WOG. Decision 09/2023 - 6/6 Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as defendant. Such an appeal may be lodged by means of an inter partes petition that the in art 1034terofthe Judicial Codemustcontainenumeratedenumerated .Theapplicationon 6 contradictions must be submitted to the Registry of the Market Court in accordance with Article 7 1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of the Ger.W.). (Get.) Hielke Hijmans Chairman of the Litigation Chamber 6 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 7 The petition with its annex, in as many copies as there are parties involved, is sent by registered letter to the clerk of the court or deposited with the clerk of the court.