APD/GBA (Belgium) - 69/2024: Difference between revisions

From GDPRhub
(Comment)
No edit summary
Line 10: Line 10:
|ECLI=
|ECLI=


|Original_Source_Name_1=APD/GBA
|Original_Source_Name_1=APD/GBA (Belgium)
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-69-2024.pdf
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-69-2024.pdf
|Original_Source_Language_1=Dutch
|Original_Source_Language_1=Dutch
Line 20: Line 20:


|Type=Complaint
|Type=Complaint
|Outcome=Upheld
|Outcome=Rejected
|Date_Started=28.03.2024
|Date_Started=
|Date_Decided=02.05.2024
|Date_Decided=02.05.2024
|Date_Published=
|Date_Published=
Line 28: Line 28:
|Currency=
|Currency=


|GDPR_Article_1=
|GDPR_Article_1=Article 32 GDPR
|GDPR_Article_Link_1=
|GDPR_Article_Link_1=Article 32 GDPR
|GDPR_Article_2=
|GDPR_Article_2=
|GDPR_Article_Link_2=
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_Link_3=


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 38: Line 40:
|EU_Law_Link_2=
|EU_Law_Link_2=


|National_Law_Name_1=Article 95 of the Act of 3 December 2017 establishing the Data Protection Authority
|National_Law_Name_1=
|National_Law_Link_1=https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2017120311&table_name=loi
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=


|Party_Name_1=
|Party_Name_1=X
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=Y
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=


|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=nzm
|Initial_Contributor=
|
|
}}
}}


The DPA dismissed a complaint considering that the measures taken by the controller, namely informing the DPA and the data subject of the breach of personal data and taking action to prevent a similar breach in the future, rendered any further corrective measures unnecessary.
The DPA dismissed the complaint on the data breach as the controller managed it according to [[Article 32 GDPR|Article 32 GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject sent an email to the controller complaining about the fact that one of their employees, which was his ex-girlfriend, had consulted his personal data several times in the past year and a half. The employee admitted this to the controller.  
A bank’s employee, an ex-girlfriend of data subject, was deemed to consult the personal data of data subject for one and a half of a year. According to the data subject, the employee admitted the bank (data controller) she consulted data subject’s data.  


The data subject inquired about the measures taken against the employee. The controller responded that the employee consulted the data subject's data without professional context nor mandate, and that 'necessary and proportionate' measures were taken against her. The controller also indicated that the breach was reported to the Belgian DPA ('GBA').
The data subject contacted the controller twice, claiming controller’s employee breached the confidentiality of the data and asking about the measures took against the employee. As the implemented measures were found inadequate, later on, the data subject decided to file a complaint with the police (on charge of stalking).  


He replied that he lodged a complaint with the police as he felt morally harmed and was distressed that he could be stalked any longer given that the controller allegedly failed to take sufficient measures to prevent it. He also stated that he would complain with the GBA.
In response, the controller explained that the employee processed data without professional context and authorization of the controller. Also, the controller, implemented necessary and proportionate measures, as well as reported the breach with the Dutch DPA (APD/GBA).
 
The data subject did not share the views of the controller, and, consequently filed a complaint with the DPA and the National Ombudsman (Nationale ombudsman), claiming the breach of data confidentiality by the controller.


=== Holding ===
=== Holding ===
The GBA explained that when it dismisses a complaint, it must give reasons for doing so. The dismissal can be of two sorts: (i) a ‘technical dismissal’ if the case file contains no or insufficient elements that could lead to a conviction or (ii) a ‘policy dismissal’ if, despite the presence of elements that could lead to a sanction, the continuation of the examination of the complaint does not seem appropriate in the light of the priorities of the DPA.
The DPA dismissed the complaint.
 
In the present case, the GBA adopted a ‘policy dismissal’ , and justified this position with two reasons. First, the DPA considered that the subject of the complaint disappeared as a result of the measures taken by the controller. The GBA stated that the controller alerted the DPA on the possible breach of personal data of the data subject by an employee. The controller also informed the data subject of this breach and stated that the necessary and proportionate measures would be taken to avoid this breach in the future. Therefore, the DPA considered that there were no elements to indicate that the breach had not stopped and that the measures taken would not have been sufficient to prevent a similar breach in the future.


Second, the GBA held that the complaint seems to be a supplement to a broader dispute that should be resolved before the courts of appeal. Indeed, the data subject filed a complaint with the police stating that he no longer wanted to be stalked. The DPA noted that stalking is criminalized under the Belgian Criminal Code. Therefore, the DPA found that this does not fall under its jurisdiction, nor is it competent to assess any moral damage from a breach. The GBA also took into account the fact that the complaint was lodged with the police before it was lodged with the DPA.  
Firstly, the actions took by the controller after data subject’s notification were sufficient in the situation at hand. The controller implemented measures which adequately dealt with the breach of confidentiality. As a result, the DPA found no evidence that the measures were ineffective, especially they did not stop the employee from further unlawful conduct. At the same time, the controller acted proactively, preventing similar breach to occur in the future. Therefore, the subject matter of the case was obsolete.  


Hence, the GBA dismissed the complaint.
Secondly, the DPA stated the compliant brought by the data subject also covered the criminal offence of stalking. However, the DPA had no jurisdiction over criminal cases of that kind, which made this part of compliant inadmissible.


== Comment ==
== Comment ==
Although the DPA does not explicitly mention this, the controller seems to be accused of a breach of [[Article 32 GDPR]], due to the lack of security measures initially implemented.
''Share your comments here!''
 
It would also appear that 'policy dismissal' does not seem in line with the recent [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA Schufa judgement]. Indeed, the CJEU stressed that DPAs are required to deal with data subject complaints with all due diligence, and must react appropriately in order to remedy GDPR violations. The DPAs maintain a margin of discretion as to the choice of the appropriate means. Therefore, there is a choice of appropriate means, not a choice of (in)action.
 
In the present case, the DPA dismissed the complaint considering the violation had been remedied. Nonetheless, the 'policy dismissal' applied by the Belgian DPA does not seem to comply with this requirement of dealing with complaints with all due diligence, as it allows the DPA to dismiss a complaint if it does not seem 'appropriate in the light of the priorities of the DPA'.


== Further Resources ==
== Further Resources ==
Line 146: Line 146:




The defendant: La banque Y, hereinafter “the defendant”. Decision 69/2024 — 2/6
The defendant: La banque Y, hereinafter “the defendant”.                                                                           Decision 69/2024 — 2/6




Line 212: Line 212:


       of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
       of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
       transferred to the Disputes Chamber. Decision 69/2024 — 3/6
       transferred to the Disputes Chamber.                                                                                 Decision 69/2024 — 3/6




Line 271: Line 271:
  8. Firstly, the subject of the complaint appears to have disappeared as a result of the measures taken
  8. Firstly, the subject of the complaint appears to have disappeared as a result of the measures taken


       were taken by the controller. 4
       were taken by the controller.     4




Line 291: Line 291:


dismissal policy of the Disputes Chamber.
dismissal policy of the Disputes Chamber.
4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber. Decision 69/2024 — 4/6
4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber.                                                                           Decision 69/2024 — 4/6




Line 371: Line 371:
  in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system
  in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system


  of the Ministry of Justice (Article 32ter of the Ger.W.).
  of the Ministry of Justice (Article 32ter of the Dutch Civil Code).




Line 443: Line 443:




1The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved
1The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
deposited with the clerk of the court or at the registry.


1Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.
1Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.
</pre>
</pre>

Revision as of 11:04, 5 August 2024

APD/GBA - 69/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 32 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 02.05.2024
Published:
Fine: n/a
Parties: X
Y
National Case Number/Name: 69/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (Belgium) (in NL)
Initial Contributor: n/a

The DPA dismissed the complaint on the data breach as the controller managed it according to Article 32 GDPR.

English Summary

Facts

A bank’s employee, an ex-girlfriend of data subject, was deemed to consult the personal data of data subject for one and a half of a year. According to the data subject, the employee admitted the bank (data controller) she consulted data subject’s data.

The data subject contacted the controller twice, claiming controller’s employee breached the confidentiality of the data and asking about the measures took against the employee. As the implemented measures were found inadequate, later on, the data subject decided to file a complaint with the police (on charge of stalking).

In response, the controller explained that the employee processed data without professional context and authorization of the controller. Also, the controller, implemented necessary and proportionate measures, as well as reported the breach with the Dutch DPA (APD/GBA).

The data subject did not share the views of the controller, and, consequently filed a complaint with the DPA and the National Ombudsman (Nationale ombudsman), claiming the breach of data confidentiality by the controller.

Holding

The DPA dismissed the complaint.

Firstly, the actions took by the controller after data subject’s notification were sufficient in the situation at hand. The controller implemented measures which adequately dealt with the breach of confidentiality. As a result, the DPA found no evidence that the measures were ineffective, especially they did not stop the employee from further unlawful conduct. At the same time, the controller acted proactively, preventing similar breach to occur in the future. Therefore, the subject matter of the case was obsolete.

Secondly, the DPA stated the compliant brought by the data subject also covered the criminal offence of stalking. However, the DPA had no jurisdiction over criminal cases of that kind, which made this part of compliant inadmissible.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/6



                                                                          Dispute Chamber


                                                      Decision 69/2024 of May 2, 2024


File number: DOS-2024-01292


Subject: Your complaint regarding a breach of your confidentiality

personal data



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:



Complainant: X, hereinafter “the complainant”;


The defendant: La banque Y, hereinafter “the defendant”.                                                                            Decision 69/2024 — 2/6


I. Facts and procedure


 1. The subject of the complaint concerns an alleged breach of confidentiality

      personal data of the complainant that are processed by the defendant.

 2. On March 7, 2024, the complainant filed a complaint with the GBA. The complaint concerns an infringement

      the confidentiality of the complainant's personal data by an employee of the

      defendant.

               On February 8, 2024, the complainant sent an email to the defendant to complain

               about an employee who would use the complainant's personal data several times

               have been consulted in the last 1.5 years. The employee was due to do so in December

               2023 have been addressed by the defendant and the consultations of the
               admitted personal data. The complainant inquired about the

               measures taken against this employee, who has also been the ex-girlfriend of 1.5 years

               complainant were struck by the defendant.


               On February 16, 2024, the complainant contacted the defendant again
               inquire about the measures taken against the employee, because

               he had been told that these measures were far from sufficient.


               On February 17, 2024, the complainant filed a complaint with the police, of which the PV is responsible
               attached in the documents. The complainant stated that he felt morally damaged and

               to be concerned that the defendant could no longer be stalked

               would have taken sufficient measures to prevent this.

               On February 28, 2024, the defendant responded to the complaint. She confirmed that the

               employee consulted the complainant's data “without a professional context

               and without a mandate”. “Necessary and proportionate measures” were taken

               taken against the employee. The defendant also reported that the infringement

               was reported to the Data Protection Authority.

               On March 4, 2024, the complainant responded to the communication by email

               defendant with the message that he did not consider the measures proportionate and that

               in the meantime he had filed a complaint with the police against the employee. He asked

               also that he would file a complaint with the ombudsman and with the
               Data Protection Authority.


 3. On March 28, 2024, the complaint was declared admissible by the First Line Service on the grounds

      of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
      transferred to the Disputes Chamber.                                                                                  Decision 69/2024 — 3/6



II. Justification


 4. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis

       of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG

       assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case

       the Disputes Chamber will dismiss the complaint in accordance with Article 95,

       § 1, 3° WOG, based on the following justification.


 5. If a complaint is dismissed, the Disputes Chamber will make its decision
                                 1
       to motivate gradually and:

            - to issue a technical dismissal if the file does not exist or is insufficient

                contains elements that could lead to a conviction, or if there is insufficient

                there is a prospect of a conviction due to a technical obstacle,

                which prevents her from reaching a decision;


            - or declare a policy rejection, if despite the presence of elements

                that could lead to a sanction, the continuation of the investigation

                dossier does not seem appropriate in the light of the priorities of the

                Data Protection Authority, as specified and explained in the

                dismissal policy of the Disputes Chamber. 2


 6. In the event of dismissal on more than one ground, the grounds for dismissal (resp.
                                                                                               3
       technical dismissal and policy dismissal) should be treated in order of importance.

 7. In the present file, the Disputes Chamber will dismiss the complaint,

       on the basis of an expediency dismissal. There are two motives underlying the decision

       decision of the Disputes Chamber as to why it considers it undesirable to take further action

       to the file and therefore decides not to proceed with, inter alia, a hearing at

       ground


 8. Firstly, the subject of the complaint appears to have disappeared as a result of the measures taken

       were taken by the controller.     4


       The complaint of February 8, 2024, addressed to the defendant, seems to have been brought to her attention

       have on the possible violation of the confidentiality of the personal data of






1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18.

2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the

dismissal policy of the Disputes Chamber.
4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber.                                                                           Decision 69/2024 — 4/6


      the complainant by an employee. This means that the defendant is the employee

      who allegedly admitted the violation.


      On February 28, 2024, the defendant informed the complainant of this

      violation of the confidentiality of personal data and of the necessary and

      proportionate measures that would have been taken to avoid this violation in the

      future. The defendant has also submitted a data breach notification
      to the Data Protection Authority.


 9. The Disputes Chamber has no elements that could indicate that the violation

      of the confidentiality of the complainant's personal data would not have stopped and

      that the defendant's measures would not have been sufficient to prevent a

      to prevent similar violations in the future. Without the importance of it forward

      want to minimize the incident, the Disputes Chamber rules that a
      treatment on the merits does not seem appropriate.


 10. Secondly, the complaint is a secondary dispute in a broader dispute that must be settled

      for courts and tribunals. 5

      Following the alleged facts, the complainant filed a complaint on February 17, 2024

      submitted to the police, the report of which was added to the documents. In this complaint

      the complainant declares that he no longer wants to be stalked and that he feels morally damaged.


      Stalking, which is the legal term under attack, is made punishable in Article 442bis of
                        6
      the Criminal Code, which does not fall within the powers of the Disputes Chamber. The

      Disputes Chamber is also not authorized to assess any moral damage suffered by a party
      assess data protection breach.


      Given the interpersonal context of the complaint, given the complaint filed with

      the police before a complaint was filed with the Data Protection Authority and seen

      the Disputes Chamber does not appear to have jurisdiction over various elements of the main dispute

      a treatment on the merits of this breach of confidentiality

      personal data by the Disputes Chamber is also not appropriate.


III. Publication and communication of the decision


 11. Considering the importance of transparency with regard to decision-making

      Dispute Chamber, this decision will be published on the website of the






5Cf. criterion B.3 in the dismissal policy of the Disputes Chamber.
6Article 442bis SW: “He who has harassed a person while he knew or should have known that his behavior caused him to rest in peace
would seriously disturb that person, shall be punished with imprisonment of fifteen days to two years and with
fine of fifty [euros] to three hundred [euros] or one of those penalties alone. […]” Decision 69/2024 — 6/6


 in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system

 of the Ministry of Justice (Article 32ter of the Dutch Civil Code).


To enable the complainant to consider other possible remedies, the
                                                                 11
Disputes Chamber will refer the complainant to the explanation in its dismissal policy.

[The Dispute Chamber emphasizes that the closure of cases by the

Data Protection Authority may be taken into account for its future

determine priorities and/or may give rise to future investigations on its own initiative


by the Inspection Service of the Data Protection Authority].






 (get). Hielke IJMANS


 Chairman of the Disputes Chamber















































1The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.

1Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.