APD/GBA (Belgium) - 91/2024: Difference between revisions
m (→Comment) |
|||
Line 90: | Line 90: | ||
In fact, the CJEU has even confirmed in the Schufa judgement that DPAs are required to deal with data subject complaints with all due diligence, and must react appropriately in order to remedy GDPR violations. The DPAs maintain a margin of discretion as to the choice of the appropriate means. Therefore, there is a choice of appropriate means, not a choice of (in)action. | In fact, the CJEU has even confirmed in the Schufa judgement that DPAs are required to deal with data subject complaints with all due diligence, and must react appropriately in order to remedy GDPR violations. The DPAs maintain a margin of discretion as to the choice of the appropriate means. Therefore, there is a choice of appropriate means, not a choice of (in)action. | ||
But even if it was said in an explanatory memorandum that the Belgian DPA must be able to act selectively with a view to an effective and efficient enforcement policy, | But even if it was said in an explanatory memorandum that the Belgian DPA must be able to act selectively with a view to an effective and efficient enforcement policy, such a practice would evidently be contrary to the GDPR and CJEU case-law. | ||
== Further Resources == | == Further Resources == |
Revision as of 07:46, 26 June 2024
APD/GBA - 91/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 77 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | 03.06.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 91/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | APD/GBA (in NL) |
Initial Contributor: | nzm |
The DPA dismissed a case considering that the objective right to lodge a complaint does not imply that every complaint can and will also be thoroughly investigated by the competent authority, which can choose to handle complaints selectively with a view to an effective and efficient enforcement policy.
English Summary
Facts
The data subject’s parents leased a property to a relative. Upon termination of the residential lease, a release of the rental deposit was agreed. The data subject was asked by a bank (‘controller’) to provide a copy of the identity cards of her parents, or for her parents to go to the bank in person for the purpose of identification.
The data subject refused to do so, arguing that neither the anti-money laundering legislation, nor the legislation on residential tenancy imposed such a requirement for the release of the rental deposit. Moreover, due to their health condition, her parents could not visit the controller in person.
The data subject still provided a copy of her parents’ identity card; expressly stating that this action did not imply her agreement with the requirement to present these documents. She lodged a complaint with the Belgian DPA (‘GBA’) against the controller.
Holding
The GBA explained that the DPA can decide to dismiss a case and that there are two types of dismissals: (i) a ‘technical dismissal’ if the case file contains no or insufficient elements that could lead to a conviction or (ii) a ‘policy dismissal’ if, despite the presence of elements that could lead to a sanction, the continuation of the examination of the complaint does not seem appropriate in the light of the priorities of the DPA. In the present case, the GBA adopted such a ‘policy dismissal’.
First, the GBA did not consider it appropriate to conduct a hearing on the merits because of the low probability of success of the complaint. The DPA explained that it was clear from the submissions made by the data subject that the controller processed identity cards in the context of the obligations imposed on financial banking institutions under the Anti-Money Laundering Act. This regulation requires banks to identify and verify persons at the beginning of the business relationship, but also on an ongoing basis when occasional transactions occur.
The DPA referred to the duty of identification (know your customer principle) and to the duty of vigilance (Anti-Money Laundering Act) and considered that due to the existence of such a legal obligation on the controller, it was not appropriate to deal with the complaint in a hearing on the merits.
Second, the GBA decided not to follow up on the case for reasons of expediency. The DPA indicated that under Article 77 GDPR, any data subject whose personal data are processed within the territorial scope of the GDPR has the right to lodge a complaint. However, the GBA held that this objective right to lodge a complaint does not imply that every complaint can and will also be thoroughly investigated by the competent authority, given the intrinsic lack of resources and referred to CJEU, 16 July 2020, DPC v Facebook Ireland and Maximilan Schrems, C-311/18, §112 for this argument. The DPA pointed out that in this regard, the Belgian legislator has explicitly recognised the need for the DPA to be able to act selectively with a view to an effective and efficient enforcement policy in an explanatory memorandum to a legislative measure proposal.
Finally, the GBA considered that the context of the complaint made it more appropriate for it to be dealt with by another competent authority.
Comment
The GDPR in no way states that the objective right to lodge a complaint does not imply that every complaint can and will be thoroughly investigated. The GBA referenced §112 of the Schrems II case which indicates the following:
“Although the supervisory authority must determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”
This in no way confirms the argument that the DPA is trying to put forward. Therefore, referencing this CJEU case to argue that a DPA does not have to thoroughly investigate the complaint given the intrinsic lack of resources is quite peculiar.
In fact, the CJEU has even confirmed in the Schufa judgement that DPAs are required to deal with data subject complaints with all due diligence, and must react appropriately in order to remedy GDPR violations. The DPAs maintain a margin of discretion as to the choice of the appropriate means. Therefore, there is a choice of appropriate means, not a choice of (in)action.
But even if it was said in an explanatory memorandum that the Belgian DPA must be able to act selectively with a view to an effective and efficient enforcement policy, such a practice would evidently be contrary to the GDPR and CJEU case-law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6 Dispute Chamber Decision 91/2024 of June 13, 2024 File number: DOS-2024-00832 Subject: Complaint regarding the obligation to submit (a copy). of) of the identity card at a financial banking institution for fraud prevention The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: X, hereinafter “the complainant” The defendant: Y, hereinafter “the defendant” Decision 91/2024 — 2/6 I. Facts and procedure 1. On 29 November 2023, the complainant lodges a complaint with the Data Protection Authority against the defendant. 2. The complainant's parents rented a property to a family member. Upon termination of the housing lease became a release of the rental deposit agreed. In this context, the defendant, a bank branch, informed the complainant asked to either provide a copy of the landlord's identity card, i.e. her parents, or that both parents would go to the bank office in person for the purpose of identification. The complainant initially refused this because she stated that neither the anti-money laundering legislation nor the legislation on residential rentals has any such effect requirement in the context of the release of the rental deposit. Besides, it was for her parents are unable to attend in person due to their health defendant. With a view to a quick release of the guarantee, the complainant has provided a copy of her parents' identity card, expressly stating: indicates that this action does not imply that she agrees with the requirement to do so to submit documents. 3. On February 14, 2024, the complaint will be declared admissible by the First Line Service on on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG transferred to the Disputes Chamber. II. Justification 4. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case the Disputes Chamber will dismiss the complaint in accordance with Article 95, § 1, 3° WOG, based on the following justification. 5. If a complaint is dismissed, the Disputes Chamber will make its decision to motivate gradually and: - to issue a technical dismissal if the file does not exist or is insufficient contains elements that could lead to a conviction, or if there is insufficient there is a prospect of a conviction due to a technical obstacle, which prevents her from reaching a decision; 1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020, p. 18. Decision 91/2024 — 3/6 - or declare a policy rejection, if despite the presence of elements that could lead to a sanction, the continuation of the investigation dossier does not seem appropriate in the light of the priorities of the Data Protection Authority, as specified and explained in the dismissal policy of the Disputes Chamber. 2 6. In the event of dismissal on more than one ground, the grounds for dismissal (resp. 3 technical dismissal and policy dismissal) should be treated in order of importance. 7. In the present file, the Disputes Chamber will dismiss the complaint, on the basis of policy grounds for dismissal. Below is an explanation of the reasoning of the Disputes Chamber that is the basis for the decision as to why considers it undesirable to take further action on the file and therefore decides not to proceed proceed to, inter alia, a substantive treatment. 8. In this case, the Disputes Chamber does not consider it appropriate to proceed with a hearing due to the low risk of the complaint. In accordance with Article 6 of the GDPR There are six possible legal grounds on which a controller can carry out processing can base. This is clearly evident from the documents submitted by the complainant The defendant's processing of the complainant's identity card is part of the obligations be imposed on a financial banking institution in accordance with the Wet tot prevention of money laundering and the financing of terrorism of the use of cash of October 6, 2017 (hereinafter: the Anti-Money Laundering Act). 9. Reference should therefore be made to the Anti-Money Laundering legislation that applies to financial banking institutions (in particular Article 8, §2, 1°, Article 19, §1, 1° and 3°, Article 21, §1 and 26, §1 and 27 and articles 30, 33 and 35). These provisions oblige banks to provide persons to identify and verify, not only at the beginning of the business relationship, but also continuously when occasional transactions occur (which is the case in this case). 4 10. The Disputes Chamber refers in this case to the identification obligation (according to the Know-Your- Customer/Know-Your-Customer principle), as well as to the duty of vigilance provided for in 5 the Anti-Money Laundering legislation. The Disputes Chamber does not consider the current complaints procedure to be appropriate 2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website: https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf 3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the dismissal policy of the Disputes Chamber. 4G. GOYVAERTS and V. SEYNAEVE, “[Preventive part of the anti-money laundering legislation] The law of 18 September 2017” in A. TIBERGHIEN, Handbook of Tax Law, Wolters Kluwers Belgium, Mechelen, 2023, 3056. 5 Act of 18 September 2018 on the prevention of money laundering and the financing of terrorism and on limiting of the use of cash, hereinafter “Anti-Money Laundering Act”: https://www.ejustice.just.fgov.be/eli/wet/2017/09/18/2017013368/justel;enReglementvandeNationaleBankvanBelgiëvan November 21, 2017 on the prevention of money laundering and terrorist financing; D. Goens, Data protection at financial institutions, Intersentia, Antwerp, 2018, 442 et seq. Decision 91/2024 — 4/6 prevents the defendant from refusing to issue the requested release of the rental deposit if the complainant continues to refuse the requested identification documents from her parents and/or provide the update of these identification documents to the defendant and that in the light of the aforementioned Anti-Money Laundering legislation. The Dispute Chamber points out Please note that the institutions subject to these anti-money laundering obligations have a have developed procedural processing activity that is plausible and that it presentation of (a copy of) the electronic identity card anti-money laundering purposes are not questioned by the Disputes Chamber. Also the necessary/legal updating of the personal data via another copy or reading of the identity card is not questioned by the Disputes Chamber. 11. It is because of the existence of such a legal obligation under defendant that the Disputes Chamber does not consider it appropriate to file the relevant complaint ground to be treated. Primafacie, they cannot establish a violation of the GDPR. 12. The Disputes Chamber decides not to follow up on the matter for expediency reasons file. Under Article 77 of the GDPR, every data subject whose personal data are processed within the territorial scope of the GDPR, of a right of complaint. However, this objective right to complain does not imply that every complaint also applies can and will be thoroughly investigated by the competent authority, given the intrinsic nature lack of resources. 7 The Belgian legislator has recognized in this regard “the need for the Data protection authority to be able to act selectively with a view to a effective and efficient enforcement policy” is explicitly recognised. 8 13. Secondly, and in a subordinate order, the Disputes Chamber determines that the complaint is appropriate in a broader context which it is more appropriate to be dealt with by a other competent authority. The Disputes Chamber determines that the complaint must be framed are in the broader context of the release of the rental deposit and the applicable procedures set up for this purpose by the defendant in accordance with applicable legislation about this. The Disputes Chamber does not consider it appropriate for it to suspend the procedures of to test the defendant regarding the release of the rental deposit against the applicable legislation in this regard. Bearing this in mind, the Disputes Chamber rules that its intervention in in this case is not strictly necessary and that it is more expedient for the complainant to 6See in particular Article 35 of the Anti-Money Laundering Act 7Cf. Court of Justice EU, judgment of 16 July 2020, DPC v. Facebook Ireland & Maximillian Schrems, C-311/18, para. 112 8 Own emphasis in quotation, cf. Belgian Chamber of Representatives, Explanatory Memorandum to the Draft law establishing the Data Protection Authority, Doc. 2648/001 (Parliamentary term 54), available via: https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&leg islat=54&fileID=2648, 51 9 Ground for dismissal B.3 of the dismissal policy of the Disputes Chamber, dated. June 18, 2021, available via https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf. Decision 91/2024 — 6/6 in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code). To enable the complainant to consider other possible remedies, the Disputes Chamber will refer the complainant to the explanation in its dismissal policy. 15 (get). Hielke H IJMANS Chairman of the Disputes Chamber 14The application and its attachment will be sent by registered letter in as many copies as there are parties involved deposited with the clerk of the court or at the registry. 15Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.