APD/GBA (Belgium) - 12/2023: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
Line 71: Line 71:
}}
}}


The Belgian DPA found a violation of [[:Category:Article 12 GDPR|Articles 12]] and [[:Category:Article 13 GDPR|13]] GDPR by a department of the King's office but considered that the King's immunity extended to his office and therefore declared the complaint inadmissible.
The Belgian DPA found a violation of [[:Category:Article 12 GDPR|Articles 12]] and [[:Category:Article 13 GDPR|13]] GDPR for some data processing operations carried out by a department of the King of Belgium office. However, considered the King's immunity under Belgian law, the DPA declared the complaint inadmissible.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller in this case was a department of the King's office that deals with social affairs. A data subject had a dispute with a public authority (the Government of the German-speaking Community, hereafter the Government) which had only partially responded to his request for information. The data subject wrote several complaint letters to the King. These letters contained personal data: his surname, first name and address. The service of the King's office (controller) received these letters and transferred them to the Government.
The controller in this case was a department of the King's office that deals with social affairs. A data subject had a dispute with a public authority, more precisely, the Government of the German-speaking Community (hereafter, the "Government") which had only partially responded to his request for information. The data subject wrote several complaint letters to the King. These letters contained personal data: his surname, first name and address. In an attempt to solve the matter, the King's office (controller) that had received these letters transferred them to the Government.


The data subject requested access to his data from the controller in accordance with [[:Category:Article 15 GDPR|Article 15]] and requested information about the transfer of his data to the Government. The controller did not respond to his requests. The data subject also considered that there was no basis for lawfulness of the processing. He stated in particular that the transfer of his data to the Government was not necessary, since the controller could have simply contacted the Government to remind it to respond to the requests for information.
The data subject became aware of such disclosure and subsequently submitted an access request with the controller in accordance with [[:Category:Article 15 GDPR|Article 15 GDPR]]. Among the other things, he specifically inquired about the transfer of his data to the Government. The controller did not respond to his requests. The data subject also doubted the overall lawfulness of the processing. In particular, he argued that the transfer of his data was not necessary, since the controller could have simply interceded with the Government to remind it to respond to the requests for information.


He therefore filed a complaint with the Belgian DPA.
He therefore filed a complaint with the Belgian DPA. During the investigation, the controller argued that the King's Office and its services benefit from the immunity from jurisdiction granted to the King under Article 88 of the Belgian Constitution.
 
The Controller argued that the King's Office and its services benefit from the immunity from jurisdiction granted to the King under Article 88 of the Belgian Constitution.


=== Holding ===
=== Holding ===
Line 89: Line 87:
The DPA examined the existence of a legal basis on the basis of [[:Category:Article 6(1) GDPR|Article 6(1)(e) GDPR]], which requires that the processing operation is carried out in the public interest ''and'' that it is necessary for the performance of that task.  
The DPA examined the existence of a legal basis on the basis of [[:Category:Article 6(1) GDPR|Article 6(1)(e) GDPR]], which requires that the processing operation is carried out in the public interest ''and'' that it is necessary for the performance of that task.  


On the subject of the public task, the DPA refered to a report which states that the King has a duty to form an opinion on the cases submitted to him. The Controller was part of the King's services and was responsible for the task of dealing with requests for social assistance addressed to the King. The DPA considered that the fact that the person concerned sent his request to the King showed that he was aware of the King's possibility to intervene in citizens' requests.  
On the subject of the public task, the DPA referred to a report which states that the King has a duty to form an opinion on the case brought to his attention. The controller was part of the King's services and was responsible for the task of dealing with requests for social assistance addressed to the King. Since the data subject sent his request to the King, he must have been aware of the King's possibility to intervene in citizens' requests, the DPA argued.  


Regarding the necessity criteria, the DPA recalled that [[:Category:Article 6(3) GDPR|Article 6(3)]] requires that the purposes of the processing must be necessary for the performance of a task carried out in the public interest. Referring to the case law of the CJEU, the DPA also recalled that if there are realistic and less intrusive alternatives, the processing is not "necessary". In this case, the DPA considered that the personal data contained in the letter that the controller transferred were related to the explanation of the dispute and that it was not realistic or effective to pseudonymise them. In response to the data subject's view that the controller could have contacted the Government without transferring his data, the DPA considered that this was in contradiction with its aim of effective intervention. It therefore considered that the processing was necessary to resolve the conflict between the data subject and the Government.  
Regarding the necessity criteria, the DPA recalled that [[:Category:Article 6(3) GDPR|Article 6(3)]] requires that the purposes of the processing must be necessary for the performance of a task carried out in the public interest. Referring to the case law of the CJEU, the DPA also recalled that if there are realistic and less intrusive alternatives, the processing is not "necessary". In this case, the DPA considered that the personal data contained in the letter that the controller transferred were related to the explanation of the dispute and that it was not realistic or effective to pseudonymise them. In response to the data subject's view that the controller could have contacted the Government without transferring his data, the DPA considered that this was in contradiction with its aim of effective intervention. It therefore considered that the processing was necessary to resolve the conflict between the data subject and the Government.  
Line 101: Line 99:
'''Immunity from jurisdiction'''
'''Immunity from jurisdiction'''


The DPA explained that the King enjoys immunity on the basis of the belgian Constitution. Whether this immunity extends to his collaborators, however, was controversial. "Despite the absence of an indisputable and irrefutable normative basis to support it, and despite the fact that the right to data protection is a fundamental right", the DPA considered that the majority doctrine was in favor of extending immunity. It therefore declared the complaint inadmissible, noting that this did not remove the illegality of the conduct, and invited the controller to comply with [[:Category:Article 12 GDPR|Articles 12]] and [[:Category:Article 13 GDPR|13]].
The DPA explained that the King enjoys immunity on the basis of the Belgian Constitution. Whether this immunity extends to his collaborators, however, was controversial. "Despite the absence of an indisputable and irrefutable normative basis to support it, and despite the fact that the right to data protection is a fundamental right", the DPA considered that the majority doctrine was in favor of extending immunity. It therefore declared the complaint inadmissible, noting that this did not remove the illegality of the conduct, and invited the controller to comply with [[:Category:Article 12 GDPR|Articles 12]] and [[:Category:Article 13 GDPR|13]].


== Comment ==
== Comment ==

Revision as of 08:13, 22 February 2023

APD/GBA - 12/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 6(3) GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started: 19.11.2020
Decided: 16.02.2023
Published: 17.02.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 12/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: ls

The Belgian DPA found a violation of Articles 12 and 13 GDPR for some data processing operations carried out by a department of the King of Belgium office. However, considered the King's immunity under Belgian law, the DPA declared the complaint inadmissible.

English Summary

Facts

The controller in this case was a department of the King's office that deals with social affairs. A data subject had a dispute with a public authority, more precisely, the Government of the German-speaking Community (hereafter, the "Government") which had only partially responded to his request for information. The data subject wrote several complaint letters to the King. These letters contained personal data: his surname, first name and address. In an attempt to solve the matter, the King's office (controller) that had received these letters transferred them to the Government.

The data subject became aware of such disclosure and subsequently submitted an access request with the controller in accordance with Article 15 GDPR. Among the other things, he specifically inquired about the transfer of his data to the Government. The controller did not respond to his requests. The data subject also doubted the overall lawfulness of the processing. In particular, he argued that the transfer of his data was not necessary, since the controller could have simply interceded with the Government to remind it to respond to the requests for information.

He therefore filed a complaint with the Belgian DPA. During the investigation, the controller argued that the King's Office and its services benefit from the immunity from jurisdiction granted to the King under Article 88 of the Belgian Constitution.

Holding

Lawfulness

The DPA examined the existence of a legal basis on the basis of Article 6(1)(e) GDPR, which requires that the processing operation is carried out in the public interest and that it is necessary for the performance of that task.

On the subject of the public task, the DPA referred to a report which states that the King has a duty to form an opinion on the case brought to his attention. The controller was part of the King's services and was responsible for the task of dealing with requests for social assistance addressed to the King. Since the data subject sent his request to the King, he must have been aware of the King's possibility to intervene in citizens' requests, the DPA argued.

Regarding the necessity criteria, the DPA recalled that Article 6(3) requires that the purposes of the processing must be necessary for the performance of a task carried out in the public interest. Referring to the case law of the CJEU, the DPA also recalled that if there are realistic and less intrusive alternatives, the processing is not "necessary". In this case, the DPA considered that the personal data contained in the letter that the controller transferred were related to the explanation of the dispute and that it was not realistic or effective to pseudonymise them. In response to the data subject's view that the controller could have contacted the Government without transferring his data, the DPA considered that this was in contradiction with its aim of effective intervention. It therefore considered that the processing was necessary to resolve the conflict between the data subject and the Government.

On lawfulness, the DPA therefore concluded that there was no breach of Article 5(1)(a) and Article 6(1).

Rights of the data subject

In the absence of any indication from the controller, the DPA considered that it did not provide the information required by Articles 12 and 13. It therefore considered that these articles were breached. As regards the request for access under Article 15, the DPA did not, however, consider this article as violated. It explained that the data subject's request was for the controller to acknowledge his failures to comply with the GDPR and was therefore not valid.

Immunity from jurisdiction

The DPA explained that the King enjoys immunity on the basis of the Belgian Constitution. Whether this immunity extends to his collaborators, however, was controversial. "Despite the absence of an indisputable and irrefutable normative basis to support it, and despite the fact that the right to data protection is a fundamental right", the DPA considered that the majority doctrine was in favor of extending immunity. It therefore declared the complaint inadmissible, noting that this did not remove the illegality of the conduct, and invited the controller to comply with Articles 12 and 13.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.