APD/GBA (Belgium) - 129/2023: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
 
Line 61: Line 61:
}}
}}


The Belgian DPA dismissed a complaint regarding automatic number plate recognition cameras, because the complaint did not meet the criteria of having had a ''"high personal impact"'' on the data subject for the purposes of Article 35 GDPR.   
The Belgian DPA dismissed a complaint regarding automatic number plate recognition cameras, because the complaint did not meet the criteria of having had a ''"high personal impact"'' on the data subject within the meaning of Article 35 GDPR.   


== English Summary ==
== English Summary ==
Line 77: Line 77:


=== Holding ===
=== Holding ===
The Belgian DPA dismissed the complaint on the grounds of (1) ''"lack of sufficient personal impact"'' for the purposes of [[Article 35 GDPR|Article 35 GDPR]], and (2) ''"insufficient documetnary evidence"'' that an ''"effective"'' infringement of the GDPR had taken place.   
The Belgian DPA dismissed the complaint on the grounds of (1) ''"lack of sufficient personal impact"'' for the purposes of [[Article 35 GDPR|Article 35 GDPR]], and (2) ''"insufficient documentary evidence"'' that an ''"effective"'' infringement of the GDPR had taken place.   


In reaching its conclusion on these two grounds, the DPA stated that "''the complainant raises a socially relevant issue, but does not demonstrate that an <u>effective</u> infringement of the GDPR has occured. As the complainant does not exercise any rights of a data subject and is merely asking for more information regarding a possible data protection impact assessment, the [DPA] finds that the grievances raised by the complainant do not meet the criteria of high personal impact."''<ref>para 12. </ref>
In reaching its conclusion on these two grounds, the DPA stated that "''the complainant raises a socially relevant issue, but does not demonstrate that an <u>effective</u> infringement of the GDPR has occured. As the complainant does not exercise any rights of a data subject and is merely asking for more information regarding a possible data protection impact assessment, the [DPA] finds that the grievances raised by the complainant do not meet the criteria of high personal impact."''<ref>para 12. </ref>


Firstly, the DPA concluded that the burden of proof lay on the data subject to establish GDPR violations, and noted that the data subject could resubmit a complaint if they could demonstrate a breach of the duty to inform under [[Article 14 GDPR|Article 14]] or lack of confidentiality under [[Article 5 GDPR#1f|Article 5(1)(f)]].  
The DPA concluded that the burden of proof lay on the data subject to establish GDPR violations, and noted that the data subject could resubmit a complaint if they could demonstrate a breach of the duty to inform under [[Article 14 GDPR|Article 14]] or lack of confidentiality under [[Article 5 GDPR#1f|Article 5(1)(f)]].  


== Comment ==
== Comment ==
Line 94: Line 94:
''In principle, the [Belgian DPA] will deem it appropriate to deal with your complaint in depth if it involves grievances with a <u>major social and/or personal impact</u>, in other words if it involves one of the following situations:''
''In principle, the [Belgian DPA] will deem it appropriate to deal with your complaint in depth if it involves grievances with a <u>major social and/or personal impact</u>, in other words if it involves one of the following situations:''


# ''Profiling and predictive activities relating to aspects of the individual's workperformance, economic status, health, personal preferences or interests, reliability or behaviour, or location and travel.''
# ''Profiling and predictive activities relating to aspects of the individual's work performance, economic status, health, personal preferences or interests, reliability or behaviour, or location and travel.''
# ''Automated decision-making with legal effect (or similar significant effects) on the datasubject (e.g. granting credit based on automated criteria).''
# ''Automated decision-making with legal effect (or similar significant effects) on the data subject (e.g. granting credit based on automated criteria).''
# ''Processing operations used to observe, monitor or control data subjects, including thecollection of data over networks or by "systematic surveillance of a publicly accessible area" (e.g. camera surveillance in public places).''
# ''Processing operations used to observe, monitor or control data subjects, including the collection of data over networks or by "systematic surveillance of a publicly accessible area" (e.g. camera surveillance in public places).''
# ''Processing of sensitive data of a highly personal nature, namely personal data asreferred to in Article 9 of the GDPR (data concerning health, data revealing racial orethnic origin, political opinions, religious or philosophical beliefs, or trade unionmembership, and processing of genetic data, biometric data for the purpose ofuniquely identifying a person, or data relating to a person's sexual behaviour orsexual orientation), as well as personal data relating to criminal convictions oroffences (Article 10 of the GDPR).''
# ''Processing of sensitive data of a highly personal nature, namely personal data as referred to in Article 9 of the GDPR (data concerning health, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a person, or data relating to a person's sexual behaviour or sexual orientation), as well as personal data relating to criminal convictions or offences (Article 10 of the GDPR).''
# ''Widely processed data, taking into account the following factors:''
# ''Widely processed data, taking into account the following factors:''
#* ''the number of people affected, either in absolute terms or in relation to the populationunder consideration;''
#* ''the number of people affected, either in absolute terms or in relation to the population under consideration;''
#* ''the volume of data and/or range of different data elements processed;- The geographical scope of the processing activity (e.g. cross-border or not).''
#* ''the volume of data and/or range of different data elements processed;- The geographical scope of the processing activity (e.g. cross-border or not).''
# ''Cross-referencing or combining data sets from different processing activities in a waythat goes beyond the data subject's reasonable expectations (e.g. other than the purposes for which the data were collected).''
# ''Cross-referencing or combining data sets from different processing activities in a way that goes beyond the data subject's reasonable expectations (e.g. other than the purposes for which the data were collected).''
# ''Data concerning vulnerable persons who cannot freely consent (e.g. children,workers, mentally ill people, asylum seekers, patients).''
# ''Data concerning vulnerable persons who cannot freely consent (e.g. children,workers, mentally ill people, asylum seekers, patients).''
# ''Use of new technological or organisational solutions whose impact on data subjects is not easily foreseeable (e.g. facial recognition systems).''  
# ''Use of new technological or organisational solutions whose impact on data subjects is not easily foreseeable (e.g. facial recognition systems).''  

Latest revision as of 06:45, 20 September 2023

APD/GBA - 129/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 14 GDPR
Type: Complaint
Outcome: Rejected
Started: 18.07.2023
Decided: 06.09.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 129/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA dismissed a complaint regarding automatic number plate recognition cameras, because the complaint did not meet the criteria of having had a "high personal impact" on the data subject within the meaning of Article 35 GDPR.

English Summary

Facts

The controller is a parking space provider using Automatic Number Plate Recognition (ANPR) Cameras. The controller used an ANPR system to facilitate the automatic opening and closing of entry bariers to the premises. After a customer payed for the parking time registed to a vehicle with a certain number plate, the exit to the premises automatically opened for a vehicle with that number plate.

Using this system, the controller collected the following information (1) the automatic registration of a car's number plate once it has entered the premises, (2) an exact timestamp of entering the premises and duration of parking, and (3) a picture of each vehicle.

On 12 July 2023, the data subject contacted the controller asking whether a data protection impact assessment had been undertaken prior to the implementation of the system, and if so, what the outcome of it was.

On 14 July 2023, the controller replied stating that their new payment mechanism "guarantees the privacy of all users", but disregarded the data subject's question regarding the data protection impact assessment.

On 18 July 2023, the data subject filed a complaint with the Belgian DPA regarding the controller's failure to respond adequately to their request.

Holding

The Belgian DPA dismissed the complaint on the grounds of (1) "lack of sufficient personal impact" for the purposes of Article 35 GDPR, and (2) "insufficient documentary evidence" that an "effective" infringement of the GDPR had taken place.

In reaching its conclusion on these two grounds, the DPA stated that "the complainant raises a socially relevant issue, but does not demonstrate that an effective infringement of the GDPR has occured. As the complainant does not exercise any rights of a data subject and is merely asking for more information regarding a possible data protection impact assessment, the [DPA] finds that the grievances raised by the complainant do not meet the criteria of high personal impact."[1]

The DPA concluded that the burden of proof lay on the data subject to establish GDPR violations, and noted that the data subject could resubmit a complaint if they could demonstrate a breach of the duty to inform under Article 14 or lack of confidentiality under Article 5(1)(f).

Comment

https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschillenkamer.pdf

Belgian DPA dismissal policy (in Dutch).

In this document, the Belgian DPA's criteria for "high personal impact" is stated as follows:

"3.2.1 General criteria for high social and/or personal impact

In principle, the [Belgian DPA] will deem it appropriate to deal with your complaint in depth if it involves grievances with a major social and/or personal impact, in other words if it involves one of the following situations:

  1. Profiling and predictive activities relating to aspects of the individual's work performance, economic status, health, personal preferences or interests, reliability or behaviour, or location and travel.
  2. Automated decision-making with legal effect (or similar significant effects) on the data subject (e.g. granting credit based on automated criteria).
  3. Processing operations used to observe, monitor or control data subjects, including the collection of data over networks or by "systematic surveillance of a publicly accessible area" (e.g. camera surveillance in public places).
  4. Processing of sensitive data of a highly personal nature, namely personal data as referred to in Article 9 of the GDPR (data concerning health, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a person, or data relating to a person's sexual behaviour or sexual orientation), as well as personal data relating to criminal convictions or offences (Article 10 of the GDPR).
  5. Widely processed data, taking into account the following factors:
    • the number of people affected, either in absolute terms or in relation to the population under consideration;
    • the volume of data and/or range of different data elements processed;- The geographical scope of the processing activity (e.g. cross-border or not).
  6. Cross-referencing or combining data sets from different processing activities in a way that goes beyond the data subject's reasonable expectations (e.g. other than the purposes for which the data were collected).
  7. Data concerning vulnerable persons who cannot freely consent (e.g. children,workers, mentally ill people, asylum seekers, patients).
  8. Use of new technological or organisational solutions whose impact on data subjects is not easily foreseeable (e.g. facial recognition systems).
  9. Processing that prevents data subjects from exercising a right or receiving a service or contract.

These criteria are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under Article 35 GDPR. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person). Please consult the professional section of [our] website if you would like further explanation on the criteria of Article 35 GDPR."

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/6



                                                                          Dispute Chamber


                                             Decision 129/2023 of September 6, 2023


File number: DOS-2023-03077


Subject: introducing a payment system based on ANPR cameras
underground parking lots




The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:



Defendant: Mr. X, hereinafter “the complainant”;


The defendant: Y, hereinafter “the defendant”. Decision 129/2023 — 2/6


I. Facts and procedure


    1. The subject of the complaint concerns the introduction of a new payment system at the

        using ANPR cameras in the underground car parks of Y.


    2. The complainant wrote to the defendant on July 12, 2023 in connection with the payment mechanism
        the underground car parks of Y. The car parks use ANPR cameras

        when the car enters a parking garage, the license plate is automatically displayed

        is registered and the barrier goes up automatically. When leaving, the

        driver enters his license plate into one of the payment terminals, after which the terminal

        according to the complainant, would provide an overview with the following information: i) confirmation of

        the presence of the car in the garage, ii) the exact time of entry and the

        duration of parking, iii) a photo of the car involved. Driver serves next
        to confirm and pay and can then leave the garage through the barrier

        automatically, without any intervention by the driver, goes up again,

        again on the basis of ANPR cameras placed at the exit of the

        parking garage .

    3. In particular, the complainant questions the data protection law nature of

        this system. He expressly inquires whether there is one

        data protection impact assessment (hereinafter: GEB) took place around

        practice and what the results were.

    4. In the answer on behalf of the defendant dated July 14, 2023, the Z replied that this new

        payment mechanism that also guarantees the privacy of all users. She also explains

        why the system gains in efficiency. It does not respond to the complainant's request

        results of a GEB and does not indicate whether such an investigation has been carried out

        took place.

    5. On July 18, 2023, the complainant submits a complaint to the Data Protection Authority against

        the defendant.


    6. On July 20, 2023, the complaint will be declared admissible by the First Line Service on the grounds

        of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
        transferred to the Disputes Chamber.



II. Justification


    7. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis

        of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG

        assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case


1
 ¨[…] Decision 129/2023 — 3/6



        the Disputes Chamber will dismiss the complaint in accordance with Article 95,

        § 1, 3° WOG, based on the following justification.


    8. If a complaint is dismissed, the Disputes Chamber will make its decision
                                  2
        to motivate gradually and:

            - to issue a technical dismissal if the file does not exist or is insufficient

                contains elements that could lead to a conviction, or if there is insufficient

                there is a prospect of a conviction due to a technical obstacle,

                which prevents her from reaching a decision;


            - or declare a policy rejection, if despite the presence of elements

                that could lead to a sanction, the continuation of the investigation

                dossier does not seem appropriate in the light of the priorities of the

                Data Protection Authority, as specified and explained in the

                dismissal policy of the Disputes Chamber. 3


    9. In the event of dismissal on more than one ground, the grounds for dismissal (resp.

        technical dismissal and policy dismissal) should be treated in order of importance. 4


    10. In the present file, the Disputes Chamber will dismiss the complaint,

        on the grounds of a lack of personal interest. What follows is the basis of the

        decision of the Disputes Chamber as to why it considers it undesirable to take further action

        to the file and therefore decides not to proceed with, inter alia, a hearing at

        ground.

 11. First of all, the Disputes Chamber will check in accordance with its dismissal policy whether the submitted

       complaint contains grievances with a major personal impact. The Dispute Chamber emphasizes

       firstly, that the complainant does not exercise any rights in this case. Both in the communication he

       has sent to the defendant if the actual complaint does not mention any rights of one


       data subject - as included in the GDPR - exercised. The Dispute Chamber takes

       furthermore, take into account that the complainant does not demonstrate that he himself was a user of one

       parking with such a payment system.

    12. The complainant raises a socially relevant issue, but does not demonstrate that there is any

        an effective infringement of the GDPR occurs. Since the complainant has no rights of any

        the person concerned wishes to exercise and merely requests more information about a




2Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18.
3
 In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
4 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the
dismissal policy of the Disputes Chamber.

5In accordance with grounds for dismissal B.5. Decision 129/2023 — 4/6



       possible GEB, the Disputes Chamber determines that the grievances put forward by the complainant

       do not meet the criteria of high personal impact, as set by the GBA
       described in his dismissal policy.


    13. Despite the fact that the Disputes Chamber cannot prima facie establish that there is no

       violations of the GDPR have occurred, the Disputes Chamber must take this into account

       with the lack of personal interest and the lack of documentary evidence conclude that

       the complaint in this case does not require substantive treatment. Under Article 77 GDPR, every

       data subject, whose personal data is processed within the territorial

       scope of the GDPR, of a right of complaint. Moreover, it can be done accordingly

       Article 58 WOG anyone – and not just those involved – can file a complaint with the

       Data Protection Authority. However, this objective right to complain does not imply that

       any complaint can and will be thoroughly investigated by the competent authority
                                          6
       the intrinsic lack of resources. The Belgian legislator has “the need for this

       the Data Protection Authority to be able to act selectively with a view to a
       effective and efficient enforcement policy” is explicitly recognised.


    14. However, the Disputes Chamber points out the right of the complainant to submit a new complaint,

       if he can provide documents that prove that the complainant is indeed personally involved

       interest and the complainant indicates which rights as a data subject have been violated

       (for example, the lack of information in accordance with Article 14 GDPR when entering

       of the parking garage about the relevant processing of personal data

       occur or a breach of confidentiality of personal data on it

       time of payment in accordance with Article 5.1.f GDPR). In this case it will also be taken into account

       will be taken into account with previously submitted complaints regarding the same issue.



III. Publication and communication of the decision


    15. Considering the importance of transparency with regard to decision-making

       Dispute Chamber, this decision will be published on the website of the

       Data Protection Authority. On the other hand, it is not necessary that the
       identification details of the parties are disclosed directly.


    16. In accordance with its deposit policy, the Disputes Chamber will issue the decision to the defendant

       to transfer . After all, the Disputes Chamber has decided to dismiss its decisions




6Cf. Court of Justice EU, judgment of 16 July 2020, DPC v. Facebook Ireland & Maximillian Schrems, C-311/18, para. 112.
7
  Own emphasis in quotation, cf. Belgian Chamber of Representatives, Explanatory Memorandum to the
Draft law establishing the Data Protection Authority, Doc. 2648/001 (Parliamentary term 54), available via:
https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&leg
islat=54&fileID=2648, 51.
8Cf. Title 5 – Will the dismissal of my complaint be published? Will the other party be informed of this?
of the dismissal policy of the Disputes Chamber. Decision 129/2023 — 5/6


         ex officio to the defendants. However, the Dispute Chamber decided not to do so

         such a notification when the complainant has requested anonymity in this regard


         of the defendant and the notification of the decision to the defendant, even if

         it is pseudonymised, nevertheless makes it possible to contact the complainant
                            9
         (re)identify . However, this is not the case in the present case.




     FOR THESE REASONS      ,


     the Disputes Chamber of the Data Protection Authority decides, after deliberation,

     to dismiss the present complaint on the basis of Article 95, § 1, 3° of the WOG.




Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice, an appeal against this decision will be filed with the Market Court (court of

appeal Brussels), with the Data Protection Authority as defendant.


Such an appeal can be lodged by means of an inter partes petition

must contain information listed in Article 1034ter of the Judicial Code. It 10

an objection petition must be submitted to the registry of the Market Court

in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit

IT system of Justice (Article 32ter of the Judicial Code).


To enable the complainant to consider other possible remedies, the

Disputes Chamber will refer the complainant to the explanation in its dismissal policy. 12




















9Ibid.

10The petition states, under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or

     company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
     summoned;
 4° the subject matter and brief summary of the grounds of the claim;
 5° the judge before whom the claim is brought;
 6° the signature of the applicant or his lawyer.
11
 The petition with its attachment will be sent by registered letter in as many copies as there are parties involved.
deposited with the clerk of the court or at the registry.
12
  Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber. Decision 129/2023 — 6/6


The Disputes Chamber emphasizes that the closure of cases by the

Data Protection Authority may be taken into account for its future

determine priorities and/or may give rise to future investigations on its own initiative

by the Inspection Service of the Data Protection Authority.









(get). HielkeIJMANS

Chairman of the Disputes Chamber
  1. para 12.