APD/GBA (Belgium) - 107/2024: Difference between revisions

From GDPRhub
mNo edit summary
Line 61: Line 61:
}}
}}


The DPA fined a controller €100,000 for failing to answer a data subject’s access request in timely manner.
The DPA fined a controller €100,000 for failing to answer a data subject’s access request in a timely manner. However, the DPA rejected the data subjects request to receive information on the specific employees who accessed their data.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was a customer of a telecommunication company (the controller). The controller unilaterally modified the subscriptions and billings of the data subject. The data subject opposed these changes and initiated a mediation proceedings before the Telecommunications Mediation Service (Service de médiation pour les télécommunications). During the proceedings, the controller explained it was a human error that caused the modification.  
The data subject was a customer of a telecommunication company (the controller). The controller unilaterally modified the subscriptions and billings of the data subject. The data subject opposed these changes and initiated a mediation proceedings before the Telecommunications Mediation Service ([https://www.mediateurtelecom.be/ Service de médiation pour les télécommunications]). During the proceedings, the controller explained it was a human error that caused the modification.  


The data subject filed access request under [[Article 15 GDPR|Article 15 GDPR]] with the controller, indicating they were interested in data from the exact period and the information about which employees and for what reason accessed their data. The data subject explicitly wished for a response in a table format.   
The data subject filed access request under [[Article 15 GDPR|Article 15 GDPR]] with the controller, indicating they were interested in data from the exact period and the information about which employees and for what reason accessed their data. The data subject explicitly wished for a response in a table format.   
Line 77: Line 77:


=== Holding ===
=== Holding ===
The DPA upheld the complaint.
The DPA upheld the complaint partially.


Although, prior to the access request, the data subject already had some data, it didn’t influence their right to access. [[Article 12 GDPR#3|Article 12(3) GDPR]] sets out prerequisites to dismiss, inter alia, the data subject’s access request. None of the reasons stipulated in that provision was applicable in the case at hand. The DPA emphasised the controller was not relieved from their duty to fully answer an access request only because the data subject already possessed the data.  
Although, prior to the access request, the data subject already had some data, it didn’t influence their right to access. [[Article 12 GDPR#3|Article 12(3) GDPR]] sets out prerequisites to dismiss, inter alia, the data subject’s access request. None of the reasons stipulated in that provision was applicable in the case at hand. The DPA emphasised the controller was not relieved from their duty to fully answer an access request only because the data subject already possessed the data.  

Revision as of 06:45, 24 September 2024

APD/GBA - 107/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.08.2024
Published:
Fine: 100,000 EUR
Parties: n/a
National Case Number/Name: 107/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: wp

The DPA fined a controller €100,000 for failing to answer a data subject’s access request in a timely manner. However, the DPA rejected the data subjects request to receive information on the specific employees who accessed their data.

English Summary

Facts

The data subject was a customer of a telecommunication company (the controller). The controller unilaterally modified the subscriptions and billings of the data subject. The data subject opposed these changes and initiated a mediation proceedings before the Telecommunications Mediation Service (Service de médiation pour les télécommunications). During the proceedings, the controller explained it was a human error that caused the modification.

The data subject filed access request under Article 15 GDPR with the controller, indicating they were interested in data from the exact period and the information about which employees and for what reason accessed their data. The data subject explicitly wished for a response in a table format.

The data subject received partially anonymised data relating to their contract with the controller. The controller neither disclose the identity of their employees who accessed the data subject’s data nor the purpose of that access.

Due to the lack of satisfying response of the controller, the data subject lodged a complaint with the Belgian DPA (ADP/GBA).

In a response to the complaint, the controller clarified that the access request referred to data regarding an employees of the controller. Because of that, the request was not answered as expected by the data subject.

Holding

The DPA upheld the complaint partially.

Although, prior to the access request, the data subject already had some data, it didn’t influence their right to access. Article 12(3) GDPR sets out prerequisites to dismiss, inter alia, the data subject’s access request. None of the reasons stipulated in that provision was applicable in the case at hand. The DPA emphasised the controller was not relieved from their duty to fully answer an access request only because the data subject already possessed the data.

However, the DPA found that the data subject's request to receive information on the specific employees who accessed their data was unfounded. Data of that kind could be disclosed if there was prevailing interest of the data subject. Yet, the data subject didn’t demonstrate any interest to access information regarding the controller's employees. Hence, the controller was not obliged to include employees’ data in their response to the access request.

Nevertheless, the controller failed to handle the access request in accordance with Article 12(2) GDPR. The electronic communication channel used by the controller didn’t contain the functionality of responding to the data subject’s messages. Moreover, the controller’s employees didn’t properly manage the access request. For this reason, the access request was answered exceeding the time limit of Article 12(3) GDPR. The DPA noted the full answer to the access request eventually took place during the proceedings before the DPA. According to the DPA, such a conduct amounted to a gross negligence of controller’s duties. As a result, the controller violated Article 15 GDPR. The DPA imposed a fine of €100,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/21

Litigation Chamber

Decision on the merits 107/2024 of 23 August 2024

File number: DOS-2022-02420

Subject: Complaint regarding a response granted with a delay of more than 14 months

from the exercise of the complainant's right of access

The Litigation Chamber of the Data Protection Authority, consisting of Mr.

Hielke H IJMANS, President, and Messrs. Dirk Van Der Kelen and Christophe Boeraeve, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

on the free movement of such data, and repealing Directive 95/46/EC (General Data

Protection Regulation), hereinafter "GDPR";

Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter "LCA");

Having regard to the internal rules as approved by the Chamber of Representatives on 1
20 December 2018 and published in the Belgian Official Journal on 15 January 2019;

Having regard to the documents in the file;

Has taken the following decision concerning:

The complainant: X, hereinafter "the complainant";

The defendant: Y, hereinafter “the defendant”

1The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023
amending the law of 3 December 2017 establishing the data protection authority (LCA) came into force on

01/06/2024.
In accordance with Article 56 of the law of 25 December 2023, it only applies to complaints, mediation files,
requests, inspections and procedures before the Litigation Chamber initiated from this date:
https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des-

donnees.pdf.
Cases initiated before 01/06/2024, as in this case, are subject to the provisions of the LCA as not amended by the Law of 25 December 2023 and the internal regulations as they existed before that date. Decision on the merits 107/2024 — 2/21

I. Facts and procedure

1. On 7 June 2022, the complainant filed a complaint with the Data Protection Authority

against the defendant.

2. The complaint concerns the follow-up given to the complainant's exercise of his right of access.

3. The complainant was a customer of the defendant - the latter being a

telecommunications company. Between 27 January 2021 and 26 February 2021, the defendant modified

several of the complainant's subscriptions and billings, even though the latter had not

made any such request.

4. On 27 August 2021, at the end of a mediation procedure initiated by the complainant on 26 June

2021 with the Telecommunications Mediation Service, the Ombudsman closed the

procedure, considering that all the useful information requested by the complainant had

been communicated to him. As part of this procedure, the defendant informed the

complainant that the inconveniences suffered in connection with his various

subscriptions and billings with it were caused by human error. Following this

response, the complainant stated that he was still waiting for an exact clarification of the

situation.

5. On 25 January 2022, the complainant contacted the defendant via his

Messenger chat, asking for the contact details of its Data Protection Officer (DPO

hereinafter). This

responds that she does not have a DPO email address but still processes her request

in the chat.

6. On the same day, the complainant indicates that she wants to exercise her right of access on the basis of Article 15

of the GDPR, and specifies that she wants to be informed for a period from January 1, 2021 to December 31, 2021. He also specifies that he wants a response in a table format that he

indicates in the chat, including for each access to his personal data the

following elements: date, employee or "employee number", and reason(s) for access.

7. Still on the same day, the defendant asks the complainant to clarify his request.

The complainant responds the next day that his request is simple and clear.

8. On 13 March 2022, the complainant reminded the defendant of his request for access, and informed that

if he did not respond before the end of March 2022, a complaint would be filed with the DPO.

On the same day, the defendant, still via chat, asked the complainant for further explanations in order to be able to carry out the necessary checks. The complainant responded by

explaining that he wanted to know which of the defendant’s employees had accessed his

personal data. The defendant replied that it was not possible to know, and that

the request was “beyond [its] scope of intervention”. The complainant indicated

again that his request was addressed to the DPO, and that if he did not respond before the end of

March, he would file a complaint with the DPO. The employee (in charge of the chat) of the Decision on the merits 107/2024 — 3/21

defendant responds by inviting the complainant to contact her again for any other

request.

9. On June 9, 2022, the complaint is declared admissible by the Front Line Service on the basis
of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber under

Article 62, § 1 of the LCA.

10. On February 27, 2023, the Litigation Chamber decides, under Article 95, § 1, 1° and

Article 98 of the LCA, that the case can be dealt with on the merits.

On the same date, the parties concerned are informed by registered mail of the

provisions as set out in Article 95, § 2 and Article 98 of the LCA. They are

also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their

submissions. The deadline for receipt of the respondent's submissions in response

has been set at 10 April 2023, that for the complainant's submissions in reply at 1 May

2023 and that for the respondent's submissions in reply at 22 May 2023.

11. On 2 March 2023, the respondent agrees to receive all communications relating

to the case by electronic means and expresses its intention to use the possibility of being

heard, in accordance with Article 98 of the LCA. She requested by the same email a
copy of the file (art. 98, §2, 3° LCA), which was sent to her on March 14, 2023.

12. On March 22, 2023, the complainant agreed to receive all communications relating

to the case electronically.

13. On March 28, 2023, the defendant responded to the complainant's request for access by

providing the activity logs relating to the complainant's contract covering the entire year 2021.

For security and confidentiality reasons, the defendant anonymized all

"logins".

14. On April 7, 2023, the Litigation Chamber received the submissions in response from the

defendant. The latter having filed summary submissions, its argument

is summarized in point 16 below.

15. On 30 April 2023, the Litigation Chamber received the submissions in reply from the

complainant. In summary, here is what the complainant defends:

- He requests that his complaint be declared well-founded;

- The rights he derives from Articles 12 and 15 of the GDPR have not been respected by the

defendant, it being understood that it did not allow him to contact its DPO, that it

responded to his request for access with a year and a half delay, and that it has never

responded concerning the purposes for which its employees accessed the complainant's account and

personal data; Decision on the merits 107/2024 — 4/21

- To impose a more severe sanction than a warning, taking into account the number of

requests and reminders that he made;

- To anonymize all personal data relating to it;

- Not to anonymize the defendant.

16. On May 22, 2023, the Litigation Chamber receives the summary conclusions from

the defendant. In summary, the latter defends the following:

- It was not its responsibility to provide access to the information requested by the complainant

it being understood: (i) that the personal data of the employees of the

defendant do not constitute personal data of the complainant himself and that the same employees cannot be considered as
2
recipients of the data within the meaning of Art. 15.1.c) of the GDPR, (ii) that the complainant had all the information at the time of filing this complaint, it being understood that

the contact address of the defendant's DPO could be found on the

latter's website and that the responses to the other requests he made were brought to his

attention on 30 July 2021, and (iii) that the right conferred by Article 15 of the

GDPR does not constitute an absolute right, and that he may therefore encounter certain limits when it is

balanced against the rights and freedoms of third parties (Article 15.4 GDPR), as in this case

where the rights and freedoms of the defendant’s employees prevail over the complainant’s right of access

;

- Failure to meet the response deadline provided for in Article 12.3 GDPR cannot in itself

result in a sanction;

- The Litigation Chamber cannot take a decision on the breaches

alleged by the complainant in his email of 23 March but which did not appear in the

invitation to conclude letter that it sent to the parties on 27 February 2023,

it being understood that the defendant cannot be expected to defend itself

against them adequately;

- To declare the breaches alleged by the complainant unfounded if the
Litigation Chamber were to examine them.

17. On 29 April 2024, the parties were informed that the hearing would take place on 31 May 2024.

18. On 31 May 2024, the parties were heard by the Litigation Chamber.

19. On 10 June 2024, the minutes of the hearing were submitted to the parties.

2It is clear from the defendant’s submissions that it was Article 15.1.b) of the GDPR that was cited. However, it appears from reading
these submissions that the defendant was referring to Article 15.1.c) of the same Regulation. Decision on the merits 107/2024 — 5/21

20. On 12 June 2024, the Litigation Chamber received from the defendant some

formal remarks relating to the minutes, which were annexed to the latter in

accordance with Article 54, paragraph 2 of the Rules of Procedure.

21. On 17 June 2024, the Litigation Chamber received from the complainant some

remarks relating to the minutes. These called for substantial changes to the

minutes, which could not be made since the discussions had been closed at the end

of the hearing.

22. On 3 July 2024, the Litigation Chamber informed the defendant of its intention to

impose an administrative fine and the amount of the fine, in order to

give the defendant the opportunity to defend itself before the penalty is

actually imposed.

23. On 22 July 2024, the Litigation Chamber received the defendant's

reaction regarding the intention to impose an administrative fine and the amount of the

fine. The content of the defendant's reaction is summarised in points 85 et seq.

II. Grounds

II.1. As to the alleged violation of the right of access (Article 15 of the GDPR)

II.1.1. As for the content of the follow-up granted to the right of access by the defendant

24. The Litigation Chamber recalls that Article 4,1) of the GDPR defines personal data as "any information relating to an identified or

identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is deemed to be a natural person who can be identified, directly or

indirectly, in particular by reference to an identifier, such as a name, an identification

number, location data, an online identifier, or to one or more specific

elements specific to his physical, physiological, genetic, mental,

economic, cultural or social identity; […]".

25. Processing of personal data means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

3GDPR, Art. 4.2. Decision on the merits 107/2024 — 6/21

26. Under Article 15.1 of the GDPR, the data subject has the right to obtain from the

controller confirmation as to whether or not personal data concerning him or her are being

processed. Where this is the case, the data subject has the

right to obtain access to said personal data as well as to a series of

information listed in Article 15.1 a) to h) such as the purpose of the processing of

his/her data, the possible recipients of his/her data as well as information relating to the

existence of his/her rights, including the right to request the rectification or erasure of his/her

data or the right to file a complaint with the DPA.

27. The third paragraph of Article 15 specifies that “the data controller shall provide a

copy of the personal data being processed. […]”. This paragraph

enshrines one and the same right with the first paragraph of the same article. Furthermore, it

is clear from the case law of the CJEU that this right implies the possibility for the person

concerned to obtain "the reproduction of extracts from documents or even entire

documents or extracts from databases […]" if this proves essential. However, the

reading of this right cannot be dissociated from that of Article 15.4 which provides that a balance must be

made with the rights and freedoms of others, where appropriate.

28. The Litigation Chamber recalls that the right of access constitutes an essential requirement

of the right to data protection, since it constitutes the “gateway” that allows

the exercise of the other rights conferred by the GDPR on the data subject.6

29. In the present case, it appears that the complainant exercised his right of access on 25 January

2022, a request to which the defendant responded on 28 March 2023 by providing the

complainant with a partially anonymised version of the activity logs relating to his contract

spanning the whole of 2021. The defendant adds in its submissions that the

complainant had already asked questions similar to those in his request

for access in the context of the mediation procedure (see point 4), which ended on 27

August 2021, it being understood that the Ombudsman considered that all the information useful

had been communicated to the complainant.

30. In this regard, it must be clarified that in no way could a data controller be

discharged from its obligation to follow up on the exercise of the right of access on the sole ground

that the complainant already had the requested information prior to the exercise

of said right. Article 12.5 does provide that it may in particular be refused to comply with

the exercise of one of the rights referred to in Articles 15 to 22 of the GDPR where the request of the

data subject is manifestly unfounded or excessive, however none of these

4CJEU, judgment of 4 May 2023, Österreichische Datenschutzbehörde, C-487/11, paragraph 32.
5
CJEU, judgment of 12 January 2023, Österreichische Post AG, C-154/12, paragraph 41.
6CJEU, judgment of 12 January 2023, Österreichische PostAG, C-154/12, paragraphs 37 and 38; CJEU, judgment of 20 December 2017, Nowak,
C-434/16, paragraph 57 ;CJEU,judgmentof17July2014,YSetal.,C-141/12andC-372/12,paragraph44;CJEU,judgmentof7May2009,Rijkeboer,
paragraph52.Decisiononthesubstance107/2024 — 7/21

twoexceptionswerenotinvokedbythedefendant.Inanycase,theuseofoneoftheseexceptionsmust,underArticle12.4oftheGDPR,benotifiedtothedata subjectas soonaspossible,andatthelatest“withinonemonthofreceiptoftherequest […]”–this being absent from the exchanges between the

complainantandthedefendant.

31. Concerning the content of the follow-up given to the request for access, the complainant stated in

his submissions that he remained dissatisfied (a) in that he had not obtained

additional explanations as to the purposes of the processing carried out by the employees of the

defendant, and (b) in that he had not obtained the identity of the employees of the

defendant who had carried out the said processing. However, the complainant explicitly stated

during the hearing held on 31 May 2024 (see point 18) that he was satisfied with the

response that the defendant sent him following his request for access made on 25 January 2022 – but not with the

manner in which the response was delivered to him.

The Litigation Chamber nevertheless considers it important to carry out the examination below,

since it is in no way relieved of the examination of compliance with the GDPR by the fact that part

of the complaint has become moot.

a) Access to the purposes of the processing

32. On the one hand, it is clear from the documents in the case that the defendant communicated a

partially anonymized version of the activity logs covering the whole of 2021 relating to the

complainant's contract dated 28 March 2023. In addition, the complainant stated that he was satisfied

with the data he received following the email of 28 March 2023.

33. It therefore appears to the Litigation Chamber that the complainant's request relating to the

purposes of the processing has been exhausted.

b) Access to the identity of employees who carried out the processing

34. On the other hand, the Litigation Chamber notes that the defendant refused to grant

access to the personal data relating to its employees (see points 7 and 16) –

request made on 25 January 2022 by the complainant.

35. The Litigation Chamber recalls in this regard that the personal data of

employees do not constitute personal data of the data subject,
8
which therefore places them outside the scope of Article 15 of the GDPR. However,

recital 63 of the GDPR specifies that this cannot lead a data controller to “refuse

any communication of information to the data subject.”.

7Decision of the Contentious Chamber 63/2020 of 22 September 2020, paragraph 16.
8CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 83. Decision on the merits 107/2024 — 8/21

36. Furthermore, it is also clear from the case-law of the CJEU that, given the essential role that the right of access plays for data subjects, the latter may

access the personal data of employees of a controller who has processed their personal data if this proves necessary for the exercise of the
9
other rights guaranteed to them by the GDPR. Furthermore, a balance must be struck between the right of access of the data subject in question and – as set out in Article 15.4 of the GDPR – the rights and freedoms of others (corresponding, in this case, to the employees of the defendant).

37. The Litigation Chamber further specifies that the CJEU makes a distinction between an employee

who acts according to the instructions and under the authority of his employer, and an employee who

acts outside the instructions and authority of his employer – the former benefiting

from greater protection of his identity than the latter. However, this

distinction has no impact in the present case.

38. Indeed, the Litigation Chamber notes that the complainant does not demonstrate, in his

submissions, any interest in obtaining the identity of the employees who have

mistakenly processed his personal data. Furthermore, the complainant indicates in his submissions

that he has an interest in knowing the purposes of the processing of his personal

data, but not necessarily the identity of the employees who carried out this

processing. During the hearing held on 31 May 2024, the complainant stated that he had no interest

in accessing the purposes of the processing of his data, nor in the

identity of the employees who carried out the processing.

39. Consequently, the Litigation Chamber considers that the rights and freedoms of

the defendant's employees prevail over the complainant's right to access their identity.

40. In any event, the Litigation Chamber recalls, emphasizing the reasoning

given by the defendant, that the defendant's employees cannot be considered

as recipients within the meaning of Article 15.1.c) of the GDPR.

41. Consequently, the complainant's initial request –

relating to the identity of the defendant's employees – cannot be granted on the basis of this provision.

II.1.2. As for the modalities relating to the exercise of the right of access (Articles 12.2, 12.3 and
15 of the GDPR)

42. Under Article 12.1 of the GDPR, it is up to the data controller to take "

appropriate measures to provide any information referred to in Articles 13 and 14 as well as

9CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 83.
10
Ibid., paragraph 73; See also Decision of the Contentious Chamber 89/2023 of 28 June 2023, paragraph 22.
1CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 73. Decision on the merits 107/2024 — 9/21

to make any communication under Articles 15 to 22 and Article 34 concerning the processing to the data subject in a concise, transparent,

intelligible and easily accessible manner, in clear and plain language [...]. ».

43. In addition, it is the responsibility of the data controller to facilitate the exercise of the rights of the

data subject (Article 12.2 of the GDPR) and to provide him/her with information on the measures

taken following a request made under Articles 15 to 22 of the GDPR,

as soon as possible and in any event within one month of receipt

of the request. Article 12.3 of the GDPR provides that this period may, if necessary, be extended by

two months, taking into account the complexity and number of requests. In such a case, the
data controller shall inform the data subject of this extension and the

reasons for the postponement within one month of receipt of the request.

44. In its recital 59, the GDPR specifies that in order to facilitate the exercise, by the data subject, of the rights he or she enjoys under the same Regulation, "The controller should also provide the means to submit requests by electronic means, in particular when personal data are processed electronically." In this regard, the Litigation Chamber has already had the opportunity to state that "[i]n any event, the data subject should not be penalized in any way for not having sent his or her request to the correct address." 

45. Furthermore, in its Guidelines 01/2022 on the right of access, the European Data Protection Board ("EDPB") explains that this possibility of extending the response deadline constitutes a derogation from the general rule and that it can only occur in certain circumstances on an exceptional basis. Furthermore,

the EDPB notes that if a data controller is often forced to

extend this period, this could indicate a failure in its procedure for processing
access requests.

46. It follows from all this that the defendant has an obligation to follow up on the complainant’s

exercise of the right of access under Article 15 of the GDPR in accordance with the

terms of Article 12 of the GDPR, these two articles being intrinsically

linked.

47. Based on the documents in the case file, the Litigation Chamber notes two things. On the one hand,

it notes that in its response of 25 January 2022 to the complainant, the defendant stated

that it did not have a dedicated email address for its DPO. Furthermore, in a response of 13

1Decision of the Disputed Chamber 41/2020 of 29 July 2020, paragraph 83.
13EDPB, Guidelines 01/2022 on data subject rights - Right of access, of 28 March 2023, paragraph 162, available at:
https://edpb.europa.eu/system/files/2023-04/edpb guidelines 202201 data subject rights access v2 en.pdf Decision on the merits 107/2024 — 10/21

March 2022, the defendant informed the complainant that its request for access falls outside its scope of intervention.

48. In this way, the Litigation Chamber concludes that the defendant did not facilitate

the exercise of the rights of the data subject in accordance with Article 12.2 of the GDPR in

that although there was an electronic communication channel, it was not able

to respond to the complainant’s request or to redirect it to – for example – its

DPO as it should have done in order to guarantee the full effectiveness of Article 12.2 of the

GDPR and therefore, of Article 15 of the GDPR exercised by the complainant. In other words, the

defendant did not offer the complainant responses or processing of his request

of sufficient quality. This finding cannot be altered by the fact that the

DPO’s email address was included, at the time of the facts, in the

defendant’s privacy policy.

49. Furthermore, regarding the communication channel used during the exchanges between the

complainant and the defendant between 25 January 2022 and 13 March 2022, the

Litigation Chamber wishes to point out, for information purposes only and without this constituting

any position on its part that could result in a sanction, that the defendant must, in addition to guaranteeing that the responses given to the complainants via

the Facebook chat are of sufficient quality, ensure that this communication channel

meets the appropriate security requirements as defined in Articles 5.1.f), 24, 25

and 32 of the GDPR. 50. On the other hand, and as already mentioned above (see point 29), it notes that the
complainant exercised his right of access on 25 January 2022 – a request to which the
defendant responded in a useful manner on 28 March 2023, i.e. during the course of these proceedings.

51. The complainant insists in his submissions on the fact that his request for access was responded to more than 14 months late.

52. The defendant, without denying the delay with which it responded to the complainant’s request for

access, notes that sanctions could not be imposed on it on the sole basis of the

breach of Article 12.3 of the GDPR.

53. In this regard, and without ignoring the judgments of the Court of Markets

2019/AR/1006 of 9 October 2023 and 2019/AR/1234 of 23 October 2023, the

Contentious Chamber nevertheless emphasizes that the exercise of the rights of data subjects

can only be truly effective if the data controller is required to

respond to the exercise of such rights within a reasonable period, which has been set by the

European legislator at one month, with certain exceptions. To assert the

opposite would amount to allowing the data controller not to react or to react too late

in such a way that the exercise of the right by the data subject would prove to be

totally futile. Decision on the merits 107/2024 — 11/21

Article 12 of the GDPR is, like the rights of the data subject enshrined

in Chapter III of the GDPR, also explicitly sanctioned by Article 83.5 b) of the GDPR 14

without Article 12.3. being excluded. It is useful to specify that Article 83.5.b) of the GDPR

dedicates the higher level of sanctions referred to in Article 83 of the same Regulation.

54. The Litigation Chamber notes that the violation of Articles 12.3 and 15 of the GDPR is

undeniable, in that the defendant does not dispute having responded to the complainant's request for access

14 months late. By responding to the complainant’s request for access

well beyond the deadline set by Article 12.3 of the GDPR, the defendant was guilty

of a continuous violation of the complainant’s right of access for 14 months.

55. By way of conclusion, the Litigation Chamber concludes that the defendant violated

Articles 12.2, 12.3 and 15 of the GDPR in that the complainant only obtained a

response to his request for access after more than 14 months’ delay from the defendant, in particular

because it did not facilitate the exercise of the complainant’s right of access. Furthermore, the

Litigation Chamber points out that this response was granted to the complainant in the context

of the exchange of submissions between the parties in the present proceedings, without which the

violation of the complainant’s rights would likely have continued. However, the finding relating to

Articles 12.2 and 12.3 is not taken into account in determining the penalty
it being understood that these two provisions were not included in the letter by which the

Litigation Chamber invited the parties to conclude (see point 10).

II.2. As for the other complaints

56. The Litigation Chamber notes the parties’ arguments regarding the additional complaints

relating to Articles 5, 6 and 7.1 of the GDPR.

57. However, and as recalled by the defendant in its submissions, the

Litigation Chamber limited the scope of the discussions to Article 15 of the GDPR alone. Accordingly, it does not

appear appropriate to examine these additional complaints, it being understood that the

finding of the truth of one of them cannot serve as a basis for imposing

sanctions against the defendant.

III. Corrective measures and sanctions

III.1. Range of sanctions

58. Under Article 100 of the LCA, the Litigation Chamber has the power to:

1° dismiss the complaint without further action;

14Group 29, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260, points 30-32 and 48. Decision on the substance 107/2024 — 12/21

2° order that there be no case to answer;

3° order a suspension of the decision;

4° propose a settlement;

5° issue warnings and reprimands;

6° order compliance with the data subject's requests to exercise their rights

;

7° order that the data subject be informed of the security problem;

8° order the freezing, limitation or temporary or permanent prohibition of the processing;

9° order the processing to be brought into compliance;

10° order the rectification, restriction or erasure of the data and the notification of
these to the recipients of the data;

11° order the withdrawal of the accreditation of certification bodies;

12° impose periodic penalty payments;

13° impose administrative fines;

14° order the suspension of cross-border data flows to another State or an

international body;

15° forward the file to the Public Prosecutor's Office of the Brussels

King's Prosecutor, who shall inform him of the follow-up given to the file;

16° decide on a case-by-case basis to publish its decisions on the website of the

Data Protection Authority.

59. As for the administrative fine that may be imposed in implementation of Article 83 of the GDPR

and Articles 100, 13° and 101 LCA, Article 83 of the GDPR provides:

"1. Each supervisory authority shall ensure that administrative fines imposed under

this Article for infringements of this Regulation, referred to in paragraphs 4,

5 and 6, are, in each case, effective, proportionate and dissuasive;

2. Depending on the specific characteristics of each case, administrative fines shall

be imposed in addition to or instead of the measures referred to in Article 58, paragraph 2,

points (a) to (h), and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following:

(a) the nature, gravity and duration of the breach, taking into account the nature, scope or

purpose of the processing concerned, as well as the number of data subjects affected

and the level of damage suffered by them;

(b) whether the breach was committed intentionally or negligently;

(c) any measures taken by the controller or processor to mitigate the

damage suffered by data subjects; Decision on the merits 107/2024 — 13/21

(d) the degree of responsibility of the controller or processor, taking into account

the technical and organisational measures implemented by them pursuant to

Articles 25 and 32;

(e) any previous relevant breach by the controller or

processor;

(f) the degree of cooperation established with the supervisory authority to remedy the

breach and mitigate its possible negative effects;

(g) the categories of personal data concerned by the breach;

(h) the manner in which the supervisory authority became aware of the breach, in particular whether and

to what extent the controller or processor has notified the breach;

(i) where measures referred to in Article 58(2) have

previously been ordered against the controller or processor concerned for the same

subject matter, compliance with those measures;

(j) the application of codes of conduct approved pursuant to Article 40 or

certification mechanisms approved pursuant to Article 42; and

(k) any other aggravating or mitigating circumstances applicable to the

circumstances of the case, such as financial benefits obtained or losses avoided,

directly or indirectly, as a result of the infringement”.

III.2. As to the imposition of an administrative fine

60. Article 58.2 of the GDPR grants supervisory authorities the power to take one or

more corrective measures against controllers. In accordance with

Article 58.2.i) of the GDPR, a supervisory authority may, depending on the

circumstances of each case, impose an administrative fine in addition to or instead of the

aforementioned corrective measures.

61. In this regard, Article 83.1 of the GDPR requires that a fine imposed by an

authority must, in each case, be effective, proportionate and dissuasive. Article 83.2 of the GDPR sets out a

number of criteria that must be duly taken into account in a specific case. In

addition, the highest fine applies in accordance with Article 83.5.b) of the GDPR. Indeed, in the event of a violation of the rights of the data subject (in this case, the right of access

guaranteed by Article 15 GDPR), the Litigation Chamber may impose an administrative

fine of up to EUR 20,000,000 or, in the case of a company, up to 4%

of its total worldwide annual turnover for the previous financial year, whichever is the highest. Decision on the merits 107/2024 — 14/21

62. A penalty imposed by the DPA in the form of a fine must be adequately justified,

the size of this penalty must, on the one hand, take into account the circumstances of the

individual case and, on the other hand, be proportionate to the infringement found as well as to the

status of the perpetrator of the infringement and his financial situation. However, no legal

provision requires the Contentious Chamber to rule on all the criteria provided for in

the aforementioned Article 83 of the GDPR, nor to indicate the numerical elements relating to the method of

determining the amount of the penalty imposed. The justification of the fine on the basis

of a detailed summary of each element taken into consideration for the determination of

the fine is therefore optional, but was carried out in this case.

63. In the present case, the administrative fine is justified by the fact that the defendant, whose turnover

is established at (…EUR) for the year 2023, violated Article 15 of the GDPR for a

period of 14 months. This violation was caused by the failure of two employees of the

defendant to properly handle the request for access made by the complainant,

thus denoting serious negligence – and this despite the fact that the processing of personal

data constitutes one of its core activities. Furthermore, the Litigation

Chamber takes into account the fact that although the defendant eventually gave a satisfactory

response to the complainant’s request for access, this response took effect during

the exchange of submissions between the parties. These elements – further developed below –

justify imposing an administrative fine, rather than a lower penalty such

as a warning or reprimand.

III.2.1. Calculation of the basic amount

64. Nature, gravity and duration of the violation (Article 83, paragraph 2, point a) of the GDPR) –

First, the Litigation Chamber notes that the defendant infringed the complainant’s right

of access. In addition to Article 15 of the GDPR, the right of access is also included in Article

8.2 of the European Charter of Fundamental Rights and therefore constitutes one of the essential

elements of the fundamental right to data protection; in other words, this is
the "gateway" that strengthens the control of the persons concerned over the data

15
In this sense, the decision of the French Council of State, 10th-9th joint chambers, 14/05/2024, 472221, states that "8. It follows
from the preceding provisions that, in the event that the legality of an administrative decision is based on taking into account
a certain number of considerations, compliance with the requirement of motivation that they provide for does not lead its author to
having to state only those on which the decision he has taken is based. Furthermore, there is no provision that the
restricted formation of the CNIL should provide an explanation of the amount of the penalties it imposes. It follows that
the restricted formation of the CNIL, which neither had to rule on all the criteria provided for in Article 83 of the aforementioned GDPR, nor to indicate the figures relating to the method of determining the amount of the penalty imposed, but in particular
based itself precisely on the criteria provided for in a and k of 2 of Article 83 of the GDPR as well as on the business model of the applicant company and the weight it represents in its economic sector, did not provide insufficient reasons for its decision",
and "11. The restricted formation of the CNIL, in imposing a fine of 3 million euros, complied with the rules set out in
Article 20 of the Law of 6 January 1978, cited in point 9. Furthermore, there is no provision, as stated in point 8, that
it should provide an explanation of the amount of the penalties it imposes. Consequently, the restricted formation of the
CNIL did not disregard the principle of legality of offences and penalties". Decision on the merits 107/2024 — 15/21

concerning and allows the exercise of other rights conferred on the person concerned by the

GDPR, such as the right to object and the right to erasure.

65. The effectiveness of the right of access is guaranteed by the terms set out in Article 12 of the GDPR,

which is intrinsically linked to Article 15 of the GDPR, among others. Therefore, by

giving satisfactory response to the complainant’s request for access only 14 months after the

date on which the complainant exercised his right of access, the defendant was guilty of a

continuous violation of Article 15 of the GDPR for more than 14 months.

66. Secondly, concerning the seriousness of the violation, the Litigation Chamber notes

first of all that the defendant is a telecommunications company, and that the

processing of personal data therefore constitutes one of its core activities.

Also, and as set out in the paragraphs above, there was a continuous violation of Article 15 of the GDPR for 14 months, which is the gateway to the exercise of other rights.

67. Thirdly, as for the duration of the violation, it continued for more than 14 months.

Article 12.3 of the GDPR provides that the controller must respond “as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the

complexity and number of requests.” In this regard, the Disputes Chamber specifies,

on the one hand, that the aforementioned extension of the deadline should only be used

exceptionally – which could otherwise indicate the need for the data controller to

develop its procedures for handling requests – and, on the other hand, that
the data controller must respond to a request for access within a period of less

than one month if it is able to do so.

68. Deliberate or negligent nature of the violation (Article 83, paragraph 2, point b) of the

GDPR) – A distinction is made between a violation caused by negligence and a violation caused
deliberately. The deliberate nature of a violation implies the meeting of two conditions,

namely knowledge of a violation as well as the will to cause it. Negligence is

defined, a contrario, by the absence of intentionality in the commission of the offence,

although the principle of diligence was not respected.

69. The Litigation Chamber specifies that a high threshold is set to consider a violation

as being deliberate. In addition, negligence can also be assessed by

degrees.

70. In the present case, there is no intentionality in the breach committed under Article 15 of

the GDPR. However, in view of the financial and human capacities of the defendant, as

well as the fact that the processing of personal data constitutes one of the

core activities of the defendant, the Litigation Chamber considers that the defendant committed serious negligence. This is all the more true since

the inability to know how to respond to a request for access issued by the complainant was

manifested among two employees of the defendant.

71. Categories of personal data concerned by the violation (Article 83,

paragraph 2, point g) of the GDPR) – It does not appear from the documents in the case file that

any data other than identification data were processed by the controller.

72. Classification of the seriousness of the violation and determination of the

appropriate starting amount –

The assessment of the above elements – namely the nature, seriousness and

duration of the violation, as well as the deliberate or negligent nature of the

violation and the categories of personal data concerned – makes it possible to determine the

degree of seriousness of the violation as a whole. According to this assessment, the seriousness of the

violation can be described as “low”, “medium” or “high”.

73. In this case, it should first be noted that the violation of Article 15 is among the

violations listed in Article 83.5 of the GDPR, thus falling under the higher level of

Article 83 of the same Regulation. It should also be noted that the processing of

personal data that motivated the complainant to exercise his right of access

constitutes one of the core activities of the defendant. In addition, the

complainant received a response more than 14 months after exercising his right of access, and this

during the exchange of submissions in the present procedure. However, it does not emerge from the

case that data other than identification data were processed by the

defendant. Furthermore, the violation concerns only the person of the complainant. In

addition, the damage suffered by the latter is low, given that he already had

part of the answers he requested from the defendant and that he did not have the right to access

other information requested, namely the identity of the employees who processed his

personal data. In any event, the violation committed by the defendant

is the result of gross negligence on its part.

74. In light of the elements set out above, the Litigation Chamber concludes that the

violation found is of low gravity. Therefore, for the calculation of the subsequent amount, a starting amount of between 0% and 10% of the maximum legal amount provided for

in Article 83.5 of the GDPR will be set.

75. The turnover of the defendant amounting to (…) EUR for the year 2023, the Litigation

Chamber establishes as the basic calculation amount the sum of EUR 100,000. Decision on the merits 107/2024 — 17/21

III.2.2. Mitigating and aggravating circumstances

76. Measures taken to mitigate the damage suffered by the complainant (Article 83.2.c) of the GDPR) –

As regards the measures taken to mitigate the damage suffered by the complainant, the

Litigation Chamber acknowledges that the defendant eventually provided a complete and satisfactory

response to the complainant. However, it cannot be ignored that this

response was provided after the parties had been invited to submit their

submissions.

77. Degree of responsibility of the defendant taking into account the technical and

organisational measures implemented in accordance with Articles 25 (Article 83.2.d) of the

GDPR) – The Litigation Chamber, assessing the level of responsibility of the

defendant, notes that the latter is fully responsible for the management of the requests of

data subjects that it receives, including the right of access.

78. This responsibility encompasses various aspects, in particular the efficiency of the

execution of requests, the definition of specific codes to respond appropriately to

requests made under Articles 15 to 22 of the GDPR, as well as the understanding and

implementation of clear and effective procedures by all staff, from

managers to internal staff.

79. The Litigation Chamber notes that the defendant had at the time of the facts a

point of contact with its data protection officer. This did not, however, prevent the complainant’s request for access from being properly followed up more than 14

months after it was made, particularly because the defendant did not forward the complainant’s request to its DPO, and even wrongly

declared to the complainant that it did not have a DPO contact point.

80. Previous violations committed by the data controller (Article 83.2.e) of the

GDPR) – The Litigation Chamber did not find any violation of Article 15 of the GDPR

previously committed by the defendant, or any other violation that would be

relevant in this case. This criterion is then deemed neutral, it being understood that compliance with the

standards of the GDPR is the norm.

81. Degree of cooperation with the supervisory authority (Article 83.2.f) of the GDPR) – The Litigation Chamber

notes that the defendant has been fully cooperative towards it. This criterion is deemed to be neutral, since it is a general duty established by Article

31 of the GDPR.

82. Manner in which the supervisory authority became aware of the violation (Article

83.2.h) of the GDPR) – The Litigation Chamber became aware of the violation

through a complaint. This criterion is deemed to be neutral. Decision on the merits 107/2024 — 18/21

83. Any other aggravating or mitigating circumstance (Art. 83.2.k) of the GDPR) – No other aggravating or mitigating circumstance

emerges from the present case.

III.2.3. The effective, disproportionate and dissuasive nature of the fine

84. A fine is considered effective if it achieves its objectives, such as restoring

compliance with the rules and sanctioning unlawful conduct. In this case, the fine aims to sanction

the negligent and serious conduct of the defendant. In addition, it aims to deter

other similar violations in the future. The prolonged violation of the

complainant’s fundamental rights, despite the complainant’s request for access and multiple reminders, demonstrates the

need for a firm response from the Litigation Chamber. In this case, the

defendant, with a turnover of more than (… euros), can bear a fine

of EUR 100,000 (less than 0.01% of the turnover) without compromising its

economic viability. The Litigation Chamber sought a dissuasive final fine amount, in order to prevent the defendant from repeating the violation of the GDPR rules.

In addition, it also seeks to deter other companies from committing

similar violations.

III.2.4. Reaction of the defendant to the sanction form

85. As a preliminary point, the defendant highlights the circumstances of the present case. It states

that this is a one-off and isolated infringement, but not an infringement that would be

systemic in nature. This violation would have its source not in deliberate intent or

serious negligence, but in simple negligence. It adds that the number of

persons affected by the violation is limited to the single complainant, the latter having suffered

extremely limited harm – this is justified in particular by the fact that the

violation of the GDPR committed concerns only simple identification data. In this regard, the defendant notes that although the right of access constitutes the "gateway" to the exercise of the other rights conferred by the GDPR, the complainant did not exercise these same rights after obtaining a response to his request for access on 28 March 2023. In any event, the defendant notes that it has corrected the violation it committed, and has implemented additional internal measures, including training in its customer service to enable employees working there to better recognise access requests, but also to better process them. Finally, the defendant argues that it receives an average of 150 requests for access per year, and that, consequently, it is possible that requests are answered beyond the deadlines provided for in Article 12.3 of the GDPR due to the occurrence of human errors. 86. The defendant contests (i) the choice to impose an administrative fine and (ii)

its amount. Decision on the merits 107/2024 — 19/21

(i) Concerning the choice to impose an administrative fine

87. On the one hand, the defendant recalls the judgments of the Market Court by which the
latter held that the sole violation of the time limits established by Articles 12.3 and 12.4 of the GDPR

cannot justify the imposition of a sanction.

88. On the other hand, the defendant denounces a disproportion between the choice to impose an

administrative fine and the facts presented above. The defendant states that
the Litigation Chamber has a wide range of sanctions at its disposal. However, it considers

that the Litigation Chamber would not justify the reason why the imposition of an

administrative fine would be necessary in this case, and the reason why other

sanctions, such as a reprimand or warning, would not be appropriate.

(ii) The amount of the administrative fine

89. In the final analysis, the defendant considers that the amount of the fine is

totally disproportionate to the seriousness of the facts of the case.

III.2.5. Final amount of the fine

90. In light of the defendant’s reaction, the Litigation Chamber decides to maintain

the amount of the fine as communicated to the defendant on 3 July 2024, namely

EUR 100,000.

91. The defendant in fact asserts as new elements only the fact of having adopted

additional measures internally in order to prevent such a violation from

recurring in the future, and the information relating to the number of requests for access that it

receives on average per year (150).

92. First of all, the Litigation Chamber notes that the organisation of adequate

training for staff in order to enable them to better handle requests to exercise

the rights of data subjects is what is expected of a data controller, particularly when

it occupies such a position in the market. Since compliance with the

GDPR is the norm, this element cannot be assessed other than as a

neutral criterion.

93. Furthermore, the Litigation Chamber wishes to emphasise that the processing of personal data is a core activity of the defendant, and that in view of its sector of activity, its size and the number of clients whose personal data the defendant processes, the risks arising from this are all the higher.

Consequently, the defendant must be more vigilant with regard to the protection of personal data, and to adopt robust procedures in order to guarantee compliance with the Decision on the merits 107/2024 — 21/21

In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, with the Market Court (Brussels Court of Appeal), with the Data Protection Authority as the defendant.

Such an appeal may be filed by means of an interlocutory application which must contain the

18
information listed in Article 1034ter of the Judicial Code. The interlocutory application must be

19
filed at the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or

via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).

(sé). Hielke H IJMANS

President of the Litigation Chamber

18The application must contain, under penalty of nullity:

1° the indication of the day, month and year;
2° the surname, first name, address of the applicant, as well as, where applicable, his/her qualifications and his/her national register number or
company number;

3° the surname, first name, address and, where applicable, the qualifications of the person to be summoned;
4° the subject and summary of the grounds of the application;
5° the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
19
The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.