APD/GBA (Belgium) - 87/2023: Difference between revisions
No edit summary |
(→Facts) |
||
Line 74: | Line 74: | ||
=== Facts === | === Facts === | ||
A data subject was receiving direct marketing emails from a controller based in the US whose activity was to organize conferences in different countries, including in Europe. On 23 February 2023, he requested from the controller to delete his data under [[Article 17 GDPR#1|Article 17(1) GDPR]] but the controller did not follow up. On 28 March 2023, the data subject filed a complaint with the Belgian DPA. | A Belgian data subject was receiving direct marketing emails from a controller based in the US whose activity was to organize conferences in different countries, including in Europe. On 23 February 2023, he requested from the controller to delete his data under [[Article 17 GDPR#1|Article 17(1) GDPR]] but the controller did not follow up. On 28 March 2023, the data subject filed a complaint with the Belgian DPA. | ||
=== Holding === | === Holding === |
Latest revision as of 20:10, 4 July 2023
APD/GBA - 87/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 13 GDPR Article 14 GDPR Article 17(1) GDPR Article 27(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 27.06.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 87/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | APD/GBA (in NL) |
Initial Contributor: | n/a |
According to the Belgian DPA, a US-based controller whose activity includes the organisation of conferences in Europe is subject to the GDPR and must, among other obligations, appoint a representative.
English Summary
Facts
A Belgian data subject was receiving direct marketing emails from a controller based in the US whose activity was to organize conferences in different countries, including in Europe. On 23 February 2023, he requested from the controller to delete his data under Article 17(1) GDPR but the controller did not follow up. On 28 March 2023, the data subject filed a complaint with the Belgian DPA.
Holding
The DPA first assessed if the GDPR was applicable. Since the controller was based outside the EU, according to Article 3(2) GDPR, two cumulative conditions must be met for the GDPR to be applicable: the processing must concern a data subject that is in the Union and the processing activity relates to the offering of goods or services to these data subjects or the monitoring of their behavior as far as their behavior takes place in the EU.
In this case, the DPA considered that the processing activity in question was related to the offering of goods and services to a data subject in the EU. Indeed, some conferences organized by the controller happen in Europe and the controller has a GDPR policy. These elements imply, according to the DPA, that the controller had an intention to actively offer these services within the EU.
Regarding the erasure request, the DPA considered that by not responding to the erasure request, the controller breached Articles 12(3), 12(4) and 17(1) GDPR.
The DPA added that the controller should have appointed a representative in one of the Member States where it is active according to Article 27(3) GDPR and that the identity and contact details of such representative must be provided to the data subjects according to Articles 13 and 14 GDPR. The DPA therefore warned the controller.
Comment
This decision is prima facie. Its purpose is to notify the controller of its breaches and give it the opportunity to comply with the provisions.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7 Litigation room Decision 87/2023 of 27 June 2023 File number : DOS-2023-01459 Subject: Exercising the right to erasure without the defendant having done so follows The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mr X, hereinafter referred to as “the complainant”; . . The Defendant: Y, hereinafter “the Defendant”. Decision 87/2023 - 2/7 I. Factual Procedure 1. On March 28, 2023, the complainant filed a complaint with the Data Protection Authority against the defendant. 2. The complainant receives direct marketing emails from the defendant. On February 23, 2023, the the complainant sends a request for data erasure to the defendant. However, the complainant receives no reply to the request to view, but still direct marketing emails on 1,3,6,9,15,20, 22, and 28 March 2023. On 28 March 2023, the complainant repeated its request for data erasure. Also the complainant receives no response to this request. Following this, the complainant submits a complaint to the Data Protection Authority and hereby makes the two requests for data erasure and the receive direct marketing emails about. 3. On April 6, 2023, the complaint will be declared admissible by the First Line Service on the basis of the articles 58 and 60 WOG and the complaint is settled on the basis of art. 62, §1 WOG transferred to the Litigation room. II. Motivation 4. In order for the Disputes Chamber - to which the complainant appealed pursuant to Article 77 of the GDPR - would be competent to deal with his complaint, it is first of all necessary that the GDPR applies to the litigious facts or that other legislation related to data protection that may form the basis of the competence of the Litigation Chamber applies to. 5. With regard to the territorial scope of the GDPR, Article 3 of the GDPR is assumed of two different cases. In the first case (Article 3.1 of the GDPR), the data processing carried out in the context of the activities of an establishment of a controller in the territory of the European Economic Area. This The first hypothesis therefore presupposes the existence of an establishment on the territory of European Economic Area. The complaint in the present case is directed against a legal entity which is located in the United States and has no place of business in the territory of the European Economic Area exists. Article 3.1 of the GDPR is therefore not applicable. 6. The second case provided for in Article 3.2 GDPR specifies that the GDPR applies to the processing of personal data that meet the following three cumulative conditions: - the processing has been carried out by a controller that is not established in the European Economic Area; - the processing concerns data subjects who are located on the territory of the European Economic Area; and - these processing activities are related to: Decision 87/2023 - 3/7 a) offering goods or services to these data subjects (article 3.2.a) GDPR) or b) monitoring their behavior, insofar as this behavior in the European Economic Area takes place (article 3.2.b) GDPR). 7. On the basis of the documents in the file, the Disputes Chamber is of the opinion that in this case cumulative conditions are met. With regard to the first condition, the Litigation Chamber established that the defendant is indeed not established in the European Economic Area Room.With regard to the second condition, the Litigation Chamber notes that the complaint does not it is clear whether the complainant was on the territory of the European Economic Area. Assuming that the complainant was indeed on the territory of the European Economic Area at the time of the indicted facts, this has also been complied with. Finally is also satisfied with the third condition. After all, the processing activity in question is related with "offering goods and services". After all, the defendant organizes conferences in different parts of the world, including Europe (namely Amsterdam) and informs the data subject of this and of its practical aspects, such as ticket sales and discount codes direct marketing emails. The intention to also actively offer these services within the European Economic Area is evidenced by the fact that the defendant has a "privacy policy" and a published “GDPR policy”. Consequently, the contested processing fulfills the conditions of Article 3.2 GDPR, which means that the GDPR applies. 8. Article 27.1 of the GDPR stipulates that controllers or processors acting on the basis of Article 3.2 GDPR, fall under the GDPR, are obliged to appoint a representative in the Union. The obligation contained in paragraph 1 of this article does not apply to: (i) incidental processing that does not large-scale processing of special categories of personal data as referred to in Article 9(1) does not concern the processing of personal data related to criminal law convictions and criminal offenses as referred to in Article 10, and where there is a small chance that they will be a poses a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of processing; or (ii). a government agency or government body. These exemption criteria do not apply as the defendant actively targets those affected in the European Economic Area territory for it offering their services, and since the defendant is not a government agency or government body. 9. The representative is established in one of the Member States where the data subjects are located whose personal data are processed in connection with the provision of goods or services to them, or whose behavior is being observed (Article 27.3 GDPR). The identity and contact details of the representative must be provided to data subjects in accordance with Articles13 and 14 GDPR. However, the Litigation Chamber notes that the GDPR Policy as published on the website of the defendant does not state the identity and contact details of the defendant. Decision 87/2023 - 4/7 10. In view of the above, the Disputes Chamber therefore considers it appropriate to dismiss the defendant warn in accordance with article 58.1.a) AVG j ° article 95, § 1, 4 ° WOG, that they are considered not in the Union established controller that is subject to the GDPR, but not representative in the Union, or does not inform the data subjects about this, the violates Articles 13.1.a), 14.1.a) and 27.1 GDPR. 11. The Disputes Chamber determines on the basis of the documents that substantiate the complaint that the complainant is entitled exercised on data erasure in accordance with Article 17.1 GDPR on February 23, 2023. Pursuant to Article 12.3 GDPR, the controller, in the case of the defendant, must respond to the request to respond to data erasure within one month of receipt of the request. Possibly possible this period may be extended by a further two months, given the complexity of the request. The complainant must then inform about this within one month of the request for data erasure extension will be notified. If the defendant decides not to comply with the request of the complainant, it must communicate this within one month of receipt of the request to the data subject, in accordance with Article 12.4 GDPR. It does not appear from the file that the complainant has any received a reply regarding the action taken by the defendant to the data erasure is performed. As a result, the controller has acted in contravenes Articles 12.3 and 12.4 GDPR, as well as Article 17.1 GDPR. 12. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be concluded that a breach of the provisions of the GDPR was committed by the defendant, which justifies that in this case a decision is taken on the basis of Article 95, §1, 5° WOG, more specifically to order the defendant to comply with the exercise by the complainant of his right to erasure (article 17.1 GDPR). 13. The present decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of the 'procedure prior to the decision on the merits' and no decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. The Disputes Chamber has thus decided on the basis of Articles 58.2. c) and 95, §1, 5° of the Law of 3 December 2017, to order the defendant that the data subject's requests to exercise his rights are met, more determines the right to erasure (“right to be forgotten”) as stipulated in Article 17 GDPR. 14. The purpose of this decision is to inform the defendant that it is a has committed an infringement of the provisions of the GDPR and to enable it still to comply with the aforementioned provisions. 15. However, if the defendant does not agree with the contents of this prima facie decision and is of the opinion that it can assert factual and/or legal arguments that lead to 1Section 3, Subsection 2 WOG (Articles 94 through 97). Decision 87/2023 - 5/7 could lead to a different decision, this can be done via the email address litigationchamber@apd- gba.be submit a request for consideration of the merits of the case to the Disputes Chamber and this within 30 days of notification of this decision. The implementation of if necessary, this decision will be suspended during the aforementioned period. 16. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their submit defenses as well as attach any documents they deem useful to the file. The the present decision will, if necessary, be definitively suspended. 17. The Disputes Chamber points out for the sake of completeness so that a hearing on the merits of the case can take place lead to the imposition of the measures referred to in Article 100 WOG. 2 18. Finally, the Disputes Chamber points out the following: If one of the parties wishes to make use of the possibility to consult and copying the file (Article 95, § 2, 3 ° WOG), it should turn to the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment If a copy of the file is requested, the documents will be provided if possible delivered electronically or otherwise by regular mail. 3 III. Publication of the decision 19. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for this to include the identification data of the parties are disclosed directly. 2 1° to dismiss a complaint; 2° to order the exclusion of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data command; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 3 Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision 87/2023 - 6/7 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, subject to the submission of a request by the defendant for a hearing on the merits in accordance with Article 1 98 ff. WOG , at: - pursuant to article 58.2.a) AVG and article 95, §1, 4° WOG to warn the defendant that she as a controller not established in the Union that does fall under the GDPR, but has not appointed a representative in the Union or the data subjects have not informs , Articles 13.1.a), 14.1.a) and 27.1 GDPR violates GDPR. - on the basis of article 58.2.c) AVG and article 95, §1, 5 ° WOG to order the defendant that complied with the request of the data subject to exercise his rights, in particular the right to data deletion (article 17.1 GDPR), and to delete the relevant data personal data, and this within a period of 30 days from the notification of this decision; - order the defendant to inform the Data Protection Authority (Dispute Chamber) by e-mail within the same timeframe of the outcome of this decision via the e-mail email address litigationchamber@apd-gba.be; and - in the absence of the timely implementation of the above stated by the defendant, the case to be dealt with on the merits ex officio in accordance with Articles 98 et seq. of the WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as defendant. Such an appeal may be lodged by means of an inter partes petition that the in art 4 1034terofthe Judicial Codemustcontainenumeratedenumerations. contradictions must be submitted to the Registry of the Market Court in accordance with Article 4 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. Decision 87/2023 - 7/7 1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of the Ger.W.). (get). Hilke Hijmans Chairman of the Litigation Chamber 5 The petition with its annex, in as many copies as there are parties involved, is sent by registered letter to the clerk of the court or deposited with the clerk of the court.