APD/GBA (Belgium) - 128/2023: Difference between revisions
(Overall good! But please remember the formatting rules (eg., you wrote "Article 15," but it is supposed to be "Article 15 GDPR") Also I explained some of the GDPR articles referred to in the summary (remember not all of our readers have a legal background). Otherwise, legal analysis was great!) |
mNo edit summary |
||
Line 83: | Line 83: | ||
The DPA made an order under [[Article 58 GDPR#2c|Article 58(2)(c)]] for the controller to comply with the data subject's requests under [[Article 15 GDPR|Article 15(1) GDPR]] and [[Article 17 GDPR|Article 17(1) GDPR]]. | The DPA made an order under [[Article 58 GDPR#2c|Article 58(2)(c)]] for the controller to comply with the data subject's requests under [[Article 15 GDPR|Article 15(1) GDPR]] and [[Article 17 GDPR|Article 17(1) GDPR]]. | ||
[[Article 15 GDPR#1|Article 15(1)]] GDPR provides data subjects with the right to access personal data concerning them and infromation relating to it, from a controller In particular, Article 15(1)(g) provides that a data subject is entitled to information concerning the source of data "where personal data are not collected form the data subject..." | Firstly, [[Article 15 GDPR#1|Article 15(1)]] GDPR provides data subjects with the right to access personal data concerning them and infromation relating to it, from a controller In particular, Article 15(1)(g) provides that a data subject is entitled to information concerning the source of data "where personal data are not collected form the data subject..." | ||
[[Article 17 GDPR|Article 17(1) GDPR]] establishes the right of erasure, which grants data subjects the right to request that all data concerning them are erased by the controller. | Secondly, [[Article 17 GDPR|Article 17(1) GDPR]] establishes the right of erasure, which grants data subjects the right to request that all data concerning them are erased by the controller. | ||
Lastly, the DPA concluded a prima facie breach of [[Article 15 GDPR]] and [[Article 17 GDPR]] in combination with [[Article 12 GDPR|Article 12(3) GDPR]] and [[Article 12 GDPR|Article 12(4) GDPR]], because the controller did not facilitate the request for data access and erasure. | |||
Article 12(3) GDPR provides a time limit of 1 month for controllers to facilitate requests made under Articles 15 - 22 GDPR, and Article 12(4) GDPR notes that if the controller does not take action within the prescribed time frame, they must inform the data subject of why they did not take action and the data subject's ability to lodge a complaint with a supervisory authority. The controller did neither, thus the DPA additionally found a breach of Articles 12(3) and 12(4) GDPR. | Article 12(3) GDPR provides a time limit of 1 month for controllers to facilitate requests made under Articles 15 - 22 GDPR, and Article 12(4) GDPR notes that if the controller does not take action within the prescribed time frame, they must inform the data subject of why they did not take action and the data subject's ability to lodge a complaint with a supervisory authority. The controller did neither, thus the DPA additionally found a breach of Articles 12(3) and 12(4) GDPR. |
Latest revision as of 09:19, 13 September 2023
APD/GBA - 128/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 15 GDPR Article 15(1) GDPR Article 17 GDPR Article 17(1) GDPR Article 58(2)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 02.08.2023 |
Decided: | 05.09.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 128/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autorité de protection des données (in FR) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA ordered a controller to comply with an access request under Article 15(1) GDPR and an erasure request under Article 17(1) GDPR, after the controller failed to facilitate the requests.
English Summary
Facts
On 10 June 2023, the data subject received an email from a real estate agent (the controller). On the same day, the data subject replied to this email requesting explicilty for the controller to notify him of (a) the person or company who transmitted his data, and (b) requested that all of the data related to him be erased. The controller did not respond to the data subject. The controller claimed to have received the data subject's information from a source they knew but refused to disclose, and instead stressed that every email included the option to opt-out.
On 2 August 2023, the data subject filed a complaint with the Belgian DPA.
Holding
The DPA made an order under Article 58(2)(c) for the controller to comply with the data subject's requests under Article 15(1) GDPR and Article 17(1) GDPR.
Firstly, Article 15(1) GDPR provides data subjects with the right to access personal data concerning them and infromation relating to it, from a controller In particular, Article 15(1)(g) provides that a data subject is entitled to information concerning the source of data "where personal data are not collected form the data subject..."
Secondly, Article 17(1) GDPR establishes the right of erasure, which grants data subjects the right to request that all data concerning them are erased by the controller.
Lastly, the DPA concluded a prima facie breach of Article 15 GDPR and Article 17 GDPR in combination with Article 12(3) GDPR and Article 12(4) GDPR, because the controller did not facilitate the request for data access and erasure.
Article 12(3) GDPR provides a time limit of 1 month for controllers to facilitate requests made under Articles 15 - 22 GDPR, and Article 12(4) GDPR notes that if the controller does not take action within the prescribed time frame, they must inform the data subject of why they did not take action and the data subject's ability to lodge a complaint with a supervisory authority. The controller did neither, thus the DPA additionally found a breach of Articles 12(3) and 12(4) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/7 Litigation Chamber Decision 128/2023 of September 5, 2023 File number: DOS-2023-03274 Subject: Complaint relating to the lack of reaction to a request for access and erasure carried out as part of a real estate canvassing The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke H IJMANS, president; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter “ACL”; Considering the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has taken the following decision regarding: The complainant: . . The defendant: LAGENCE Y, hereinafter: “the defendant”. . Decision 128/2023 — 2/7 I. Facts and procedure 1. On August 2, 2023, the complainant filed a complaint with the Data Protection Authority. data (hereinafter “the DPA”) against the defendant, an agency specializing in the market real estate for expatriates in Brussels and its surroundings. 2. The subject of the complaint concerns the lack of reaction to an access and erasure request carried out as part of a real estate canvassing. 3. On June 10, 2023, the plaintiff receives an email from the defendant in his inbox private. This email concerns the rental of your property, identified under the reference “…”. This communication is part of a direct canvassing for the rental of the plaintiff's apartment. The defendant claims to have collected information about potentially interesting goods for its customers, as well as information on individuals with whom she would have already collaborated. According to the defendant, the name of the complainant would have been quoted by a source known to them, without disclosing the identity of this source. Moreover, the defendant emphasizes that the complainant can express his desire to no longer be contacted by responding to the same email. 4. In the context of the complaint, the complainant specifies that he did not make public the rental listing of his property, with the exception of a publication on a Facebook group (without mention of his mail) and on a professional intranet of an unspecified institution. The approach of the defendant surprises him, because she should not have known this information. 5. Still on June 10, 2023, the plaintiff responded to the defendant by raising two questions; He explicitly asks the defendant to reveal the person or company who transmitted his data, and he demands that all data concerning him be erased immediately. According to the plaintiff, the defendant did not respect the legal deadline of 30 days to provide an adequate response to his request. 6. On August 9, 2023, the complaint was declared admissible by the Front Line Service (hereinafter 1 “SPL”) on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber 2 Litigation under Article 62, § 1 of the LCA. II. Motivation 7. Pursuant to Article 4, § 1 of the LCA, the DPA is responsible for monitoring the principles of data protection contained in the GDPR and other laws containing provisions relating to the protection of the processing of personal data. 1 Under article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been declared 2Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following this complaint, the file was sent to him. Decision 128/2023 — 3/7 8. Pursuant to Article 33, § 1 of the LCA, the Litigation Chamber is the body for administrative litigation of the APD. It receives complaints that the SPL forwards to it in application of Article 62, § 1 of the LCA, i.e. admissible complaints. In accordance with Article 60 paragraph 2 of the LCA, complaints are admissible if they are drawn up in one national languages, contain a statement of the facts and the information necessary to identify the processing of personal data to which they relate and which fall under the jurisdiction of the APD. 9. Pursuant to articles 51 et seq. of the GDPR and article 4, § 1 of the LCA, it is up to the Litigation Chamber as an administrative litigation body of the APD, to exercise effective control of the application of the GDPR and to protect freedoms and rights fundamentals of natural persons with regard to the processing and to facilitate the free flow personal data within the Union. 10. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order regulations internal to the DPA, a copy of the file may be requested by the parties. If one of parties wish to make use of the possibility of consulting the file, they are required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. 11. Based on the facts described in the complaint file as summarized above, and on the basis of the powers assigned to it by the legislator under article 95, § 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the complaint, in the occurrence to order the defendant, in accordance with article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to comply with the request of the person concerned to exercise their rights, more precisely the right of access and the right to erasure, introduced by the complainant on June 10, 2023, in accordance with Articles 15.1 and 17.1 of the GDPR; And this, for the reasons set out below. 12. The Litigation Chamber takes into consideration the grievance raised by the complainant regarding the lack of response from the defendant to its request for access (aimed at obtaining the identity of the individuals and/or entities having shared their personal data) as well as its request for erasure; both exercised on June 10, 2023, in accordance with articles 15.1 and 17.1 of the GDPR, following the receipt of an email sent by the defendant to purposes of “direct marketing” (hereinafter “the disputed email”). 3 APD, Recommendation No. 01/2020 of January 17, 2020 relating to the processing of personal data for marketing purposes direct, p. 8, available on the APD website. The GDPR does not define what is meant by “direct marketing” (prospecting). its interpretation of this legal concept in recommendation no. 01/2020: “Any communication, solicited or unsolicited, aimed at promotion of an organization or person, services, products, whether paid or free, as well as brands or of ideas, addressed by an organization or person acting in a commercial or non-commercial context, directly to one or more several natural persons in a private or professional context, by any means, involving the processing of data personal character. » By “direct marketing”, we therefore mean several forms of promotion, such as email newsletters, commercial telephone calls, text messages or emails or online advertising, whether in a commercial or non-commercial context. Decision 128/2023 — 4/7 13. Article 4(7) of the GDPR defines the “data controller” as “the person physical or legal entity, public authority, service or other body which, alone or 4 jointly with others, determines the purposes and means of the processing. 14. The Litigation Chamber recalls that the data controller must follow up on the request request made pursuant to articles 15 to 22 of the GDPR by the data subject, in this case a request for access provided for by Article 15 of the GDPR and for erasure provided for by article 17 of the GDPR, and in compliance with the conditions set out in article 12 of the GDPR. 5 15. Under Article 12.1 of the GDPR, it is up to the data controller to “take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to make any communication under Articles 15 to 22 and Article 34 with regard to concerns the processing of the data subject in a concise, transparent manner, understandable and easily accessible, in clear and simple terms [...]. ". 16. The Litigation Chamber also emphasizes that it is the responsibility of the data controller to provide the data subject with information on the measures taken following a request made in application of articles 15 to 22 of the GDPR, as soon as possible and in any event within one month of receipt of the request. 6 Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months, given the complexity and number of requests. In such a case, the person responsible processing informs the data subject of this extension and the reasons for the postponement 8 within one month of receipt of the request. 17. In the event that the data controller does not respond to the request made by the person concerned, he informs him without delay and at the latest within one months from receipt of the request of the reasons for its inaction and the possibility to lodge a complaint with a supervisory authority and lodge an appeal jurisdictional. 18. On the basis of the documents supporting the complaint, the Litigation Chamber finds that the complainant effectively exercised its rights of access and erasure on June 10, 2023, in accordance with to Articles 15.1 and 17.1 of the GDPR, in response to the disputed email received on the same date. Of Furthermore, the Litigation Chamber notes that the complainant submitted his complaint to the DPA on 2 August 2023, thus exceeding the response times allocated to the controller in under Articles 12.3 and 12.4 of the GDPR. Furthermore, it is relevant to note that the grievances 4According to Article 4, 2) of the GDPR, a "processing" of personal data means "any operation or set of operations whether or not carried out using automated processes and applied to personal data or sets of personal data, such as as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation or interconnection, limitation, erasure or destruction”. 5GDPR, art. 12. 6GDPR, art. 12.2 and 12.3. 7GDPR, art. 12.3. 8GDPR, art. 12.3. 9GDPR, art. 12.4. Decision 128/2023 — 5/7 expressed in his response to the disputed email are in all respects consistent with those presented in its complaint filed with the DPA. Finally, the Litigation Chamber emphasizes that if the defendant had fully complied with the requirements set out in Article 12 of the GDPR, it would have taken into account the request for access and erasure. This approach would have potentially prevented the complainant from initiating proceedings before the DPA. 19. Following the aforementioned analysis, the Litigation Chamber considers that the defendant may have violated the following provisions: Articles 15 and 17 of the GDPR, combined with articles 12.3 and 12.4 of the GDPR; what justifies making a prima facie decision facie by the Litigation Chamber in accordance with Article 95 of the LCA, more specifically Article 95, §1, 5° of the LCA, in response to the complaint filed by the complainant, within the framework of the “procedure prior to the substantive decision” 10 and not a decision on the merits of the Litigation Chamber within the meaning of article 100 of the LCA. 20. The purpose of this decision is to inform the defendant, presumed responsible for the processing, of the possibility of a possible violation of the provisions of the GDPR, in order to offer the opportunity to comply with the aforementioned provisions. 21. If, however, the defendant does not agree with the content of this decision prima facie and considers that it can put forward factual and/or legal arguments which could lead to another decision, it may address to the Litigation Chamber a request for processing on the merits of the case via the email address litigationchamber@apd- gba.be, within 30 days of notification of this decision. The case where applicable, the execution of this decision is suspended for the period mentioned above. 22. In the event of continued processing of the case on the merits, under Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and attach to the file all the documents they consider useful. If applicable, the this decision is permanently suspended. 23. With a view to transparency, the Litigation Chamber finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL .1 1Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive). 1Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; Decision 128/2023 — 6/7 III. Publication of the decision 24. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority Datas. However, it is not necessary for this purpose that the identification data of the parties are communicated directly. FOR THESE REASONS , the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with articles 98 e.s. of the LCA: - under article 58.2.c) of the GDPR and article 95, § 1, 5° of the LCA, to order the defendant to comply with the request of the person concerned to exercise their rights, more precisely the right of access which implies the revelation of the identity of the individuals and/or entities who shared the person’s data concerned, as well as the right to erasure, requiring the deletion of said data, and this within 30 days from the date of notification of this decision ; - to order the defendant to inform the Data Protection Authority by e-mail data (Litigation Chamber) of the follow-up given to this decision, in the same deadline, via the email address litigationchamber@apd-gba.be; And - if the defendant does not comply in a timely manner with what is requested of it above above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the LCA. In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days from its notification, to the Court of Markets (court of Appeal of Brussels), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the 12 information listed in article 1034ter of the Judicial Code. The interlocutory motion must be 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° transmit the file to the public prosecutor of the King of Brussels, who will inform it of the action taken in the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 1The request contains under penalty of nullity: (1) indication of the day, month and year; 2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or number business; 3° the surname, first name, address and, where applicable, the status of the person to be summoned; 4° the object and summary of the grounds of the request; 5° indication of the judge who is seized of the request; 6° the signature of the applicant or his lawyer. Decision 128/2023 — 7/7 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 13 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.). (sé). Hielke H IJMANS President of the Litigation Chamber 13 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to clerk of the court or filed with the registry.