APD/GBA (Belgium) - 107/2024: Difference between revisions
m (→Facts) |
mNo edit summary |
||
Line 61: | Line 61: | ||
}} | }} | ||
The DPA fined a controller €100,000 for failing to answer a data subject’s access request in timely manner. | The DPA fined a controller €100,000 for failing to answer a data subject’s access request in a timely manner. However, the DPA rejected the data subjects request to receive information on the specific employees who accessed their data. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was a customer of a telecommunication company (the controller). The controller unilaterally modified the subscriptions and billings of the data subject. The data subject opposed these changes and initiated a mediation proceedings before the Telecommunications Mediation Service (Service de médiation pour les télécommunications). During the proceedings, the controller explained it was a human error that caused the modification. | The data subject was a customer of a telecommunication company (the controller). The controller unilaterally modified the subscriptions and billings of the data subject. The data subject opposed these changes and initiated a mediation proceedings before the Telecommunications Mediation Service ([https://www.mediateurtelecom.be/ Service de médiation pour les télécommunications]). During the proceedings, the controller explained it was a human error that caused the modification. | ||
The data subject filed access request under [[Article 15 GDPR|Article 15 GDPR]] with the controller, indicating they were interested in data from the exact period and the information about which employees and for what reason accessed their data. The data subject explicitly wished for a response in a table format. | The data subject filed access request under [[Article 15 GDPR|Article 15 GDPR]] with the controller, indicating they were interested in data from the exact period and the information about which employees and for what reason accessed their data. The data subject explicitly wished for a response in a table format. | ||
Line 77: | Line 77: | ||
=== Holding === | === Holding === | ||
The DPA upheld the complaint. | The DPA upheld the complaint partially. | ||
Although, prior to the access request, the data subject already had some data, it didn’t influence their right to access. [[Article 12 GDPR#3|Article 12(3) GDPR]] sets out prerequisites to dismiss, inter alia, the data subject’s access request. None of the reasons stipulated in that provision was applicable in the case at hand. The DPA emphasised the controller was not relieved from their duty to fully answer an access request only because the data subject already possessed the data. | Although, prior to the access request, the data subject already had some data, it didn’t influence their right to access. [[Article 12 GDPR#3|Article 12(3) GDPR]] sets out prerequisites to dismiss, inter alia, the data subject’s access request. None of the reasons stipulated in that provision was applicable in the case at hand. The DPA emphasised the controller was not relieved from their duty to fully answer an access request only because the data subject already possessed the data. |
Revision as of 06:45, 24 September 2024
APD/GBA - 107/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 23.08.2024 |
Published: | |
Fine: | 100,000 EUR |
Parties: | n/a |
National Case Number/Name: | 107/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | wp |
The DPA fined a controller €100,000 for failing to answer a data subject’s access request in a timely manner. However, the DPA rejected the data subjects request to receive information on the specific employees who accessed their data.
English Summary
Facts
The data subject was a customer of a telecommunication company (the controller). The controller unilaterally modified the subscriptions and billings of the data subject. The data subject opposed these changes and initiated a mediation proceedings before the Telecommunications Mediation Service (Service de médiation pour les télécommunications). During the proceedings, the controller explained it was a human error that caused the modification.
The data subject filed access request under Article 15 GDPR with the controller, indicating they were interested in data from the exact period and the information about which employees and for what reason accessed their data. The data subject explicitly wished for a response in a table format.
The data subject received partially anonymised data relating to their contract with the controller. The controller neither disclose the identity of their employees who accessed the data subject’s data nor the purpose of that access.
Due to the lack of satisfying response of the controller, the data subject lodged a complaint with the Belgian DPA (ADP/GBA).
In a response to the complaint, the controller clarified that the access request referred to data regarding an employees of the controller. Because of that, the request was not answered as expected by the data subject.
Holding
The DPA upheld the complaint partially.
Although, prior to the access request, the data subject already had some data, it didn’t influence their right to access. Article 12(3) GDPR sets out prerequisites to dismiss, inter alia, the data subject’s access request. None of the reasons stipulated in that provision was applicable in the case at hand. The DPA emphasised the controller was not relieved from their duty to fully answer an access request only because the data subject already possessed the data.
However, the DPA found that the data subject's request to receive information on the specific employees who accessed their data was unfounded. Data of that kind could be disclosed if there was prevailing interest of the data subject. Yet, the data subject didn’t demonstrate any interest to access information regarding the controller's employees. Hence, the controller was not obliged to include employees’ data in their response to the access request.
Nevertheless, the controller failed to handle the access request in accordance with Article 12(2) GDPR. The electronic communication channel used by the controller didn’t contain the functionality of responding to the data subject’s messages. Moreover, the controller’s employees didn’t properly manage the access request. For this reason, the access request was answered exceeding the time limit of Article 12(3) GDPR. The DPA noted the full answer to the access request eventually took place during the proceedings before the DPA. According to the DPA, such a conduct amounted to a gross negligence of controller’s duties. As a result, the controller violated Article 15 GDPR. The DPA imposed a fine of €100,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/21 Litigation Chamber Decision on the merits 107/2024 of 23 August 2024 File number: DOS-2022-02420 Subject: Complaint regarding a response granted with a delay of more than 14 months from the exercise of the complainant's right of access The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke H IJMANS, President, and Messrs. Dirk Van Der Kelen and Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR"; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter "LCA"); Having regard to the internal rules as approved by the Chamber of Representatives on 1 20 December 2018 and published in the Belgian Official Journal on 15 January 2019; Having regard to the documents in the file; Has taken the following decision concerning: The complainant: X, hereinafter "the complainant"; The defendant: Y, hereinafter “the defendant” 1The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023 amending the law of 3 December 2017 establishing the data protection authority (LCA) came into force on 01/06/2024. In accordance with Article 56 of the law of 25 December 2023, it only applies to complaints, mediation files, requests, inspections and procedures before the Litigation Chamber initiated from this date: https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des- donnees.pdf. Cases initiated before 01/06/2024, as in this case, are subject to the provisions of the LCA as not amended by the Law of 25 December 2023 and the internal regulations as they existed before that date. Decision on the merits 107/2024 — 2/21 I. Facts and procedure 1. On 7 June 2022, the complainant filed a complaint with the Data Protection Authority against the defendant. 2. The complaint concerns the follow-up given to the complainant's exercise of his right of access. 3. The complainant was a customer of the defendant - the latter being a telecommunications company. Between 27 January 2021 and 26 February 2021, the defendant modified several of the complainant's subscriptions and billings, even though the latter had not made any such request. 4. On 27 August 2021, at the end of a mediation procedure initiated by the complainant on 26 June 2021 with the Telecommunications Mediation Service, the Ombudsman closed the procedure, considering that all the useful information requested by the complainant had been communicated to him. As part of this procedure, the defendant informed the complainant that the inconveniences suffered in connection with his various subscriptions and billings with it were caused by human error. Following this response, the complainant stated that he was still waiting for an exact clarification of the situation. 5. On 25 January 2022, the complainant contacted the defendant via his Messenger chat, asking for the contact details of its Data Protection Officer (DPO hereinafter). This responds that she does not have a DPO email address but still processes her request in the chat. 6. On the same day, the complainant indicates that she wants to exercise her right of access on the basis of Article 15 of the GDPR, and specifies that she wants to be informed for a period from January 1, 2021 to December 31, 2021. He also specifies that he wants a response in a table format that he indicates in the chat, including for each access to his personal data the following elements: date, employee or "employee number", and reason(s) for access. 7. Still on the same day, the defendant asks the complainant to clarify his request. The complainant responds the next day that his request is simple and clear. 8. On 13 March 2022, the complainant reminded the defendant of his request for access, and informed that if he did not respond before the end of March 2022, a complaint would be filed with the DPO. On the same day, the defendant, still via chat, asked the complainant for further explanations in order to be able to carry out the necessary checks. The complainant responded by explaining that he wanted to know which of the defendant’s employees had accessed his personal data. The defendant replied that it was not possible to know, and that the request was “beyond [its] scope of intervention”. The complainant indicated again that his request was addressed to the DPO, and that if he did not respond before the end of March, he would file a complaint with the DPO. The employee (in charge of the chat) of the Decision on the merits 107/2024 — 3/21 defendant responds by inviting the complainant to contact her again for any other request. 9. On June 9, 2022, the complaint is declared admissible by the Front Line Service on the basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber under Article 62, § 1 of the LCA. 10. On February 27, 2023, the Litigation Chamber decides, under Article 95, § 1, 1° and Article 98 of the LCA, that the case can be dealt with on the merits. On the same date, the parties concerned are informed by registered mail of the provisions as set out in Article 95, § 2 and Article 98 of the LCA. They are also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their submissions. The deadline for receipt of the respondent's submissions in response has been set at 10 April 2023, that for the complainant's submissions in reply at 1 May 2023 and that for the respondent's submissions in reply at 22 May 2023. 11. On 2 March 2023, the respondent agrees to receive all communications relating to the case by electronic means and expresses its intention to use the possibility of being heard, in accordance with Article 98 of the LCA. She requested by the same email a copy of the file (art. 98, §2, 3° LCA), which was sent to her on March 14, 2023. 12. On March 22, 2023, the complainant agreed to receive all communications relating to the case electronically. 13. On March 28, 2023, the defendant responded to the complainant's request for access by providing the activity logs relating to the complainant's contract covering the entire year 2021. For security and confidentiality reasons, the defendant anonymized all "logins". 14. On April 7, 2023, the Litigation Chamber received the submissions in response from the defendant. The latter having filed summary submissions, its argument is summarized in point 16 below. 15. On 30 April 2023, the Litigation Chamber received the submissions in reply from the complainant. In summary, here is what the complainant defends: - He requests that his complaint be declared well-founded; - The rights he derives from Articles 12 and 15 of the GDPR have not been respected by the defendant, it being understood that it did not allow him to contact its DPO, that it responded to his request for access with a year and a half delay, and that it has never responded concerning the purposes for which its employees accessed the complainant's account and personal data; Decision on the merits 107/2024 — 4/21 - To impose a more severe sanction than a warning, taking into account the number of requests and reminders that he made; - To anonymize all personal data relating to it; - Not to anonymize the defendant. 16. On May 22, 2023, the Litigation Chamber receives the summary conclusions from the defendant. In summary, the latter defends the following: - It was not its responsibility to provide access to the information requested by the complainant it being understood: (i) that the personal data of the employees of the defendant do not constitute personal data of the complainant himself and that the same employees cannot be considered as 2 recipients of the data within the meaning of Art. 15.1.c) of the GDPR, (ii) that the complainant had all the information at the time of filing this complaint, it being understood that the contact address of the defendant's DPO could be found on the latter's website and that the responses to the other requests he made were brought to his attention on 30 July 2021, and (iii) that the right conferred by Article 15 of the GDPR does not constitute an absolute right, and that he may therefore encounter certain limits when it is balanced against the rights and freedoms of third parties (Article 15.4 GDPR), as in this case where the rights and freedoms of the defendant’s employees prevail over the complainant’s right of access ; - Failure to meet the response deadline provided for in Article 12.3 GDPR cannot in itself result in a sanction; - The Litigation Chamber cannot take a decision on the breaches alleged by the complainant in his email of 23 March but which did not appear in the invitation to conclude letter that it sent to the parties on 27 February 2023, it being understood that the defendant cannot be expected to defend itself against them adequately; - To declare the breaches alleged by the complainant unfounded if the Litigation Chamber were to examine them. 17. On 29 April 2024, the parties were informed that the hearing would take place on 31 May 2024. 18. On 31 May 2024, the parties were heard by the Litigation Chamber. 19. On 10 June 2024, the minutes of the hearing were submitted to the parties. 2It is clear from the defendant’s submissions that it was Article 15.1.b) of the GDPR that was cited. However, it appears from reading these submissions that the defendant was referring to Article 15.1.c) of the same Regulation. Decision on the merits 107/2024 — 5/21 20. On 12 June 2024, the Litigation Chamber received from the defendant some formal remarks relating to the minutes, which were annexed to the latter in accordance with Article 54, paragraph 2 of the Rules of Procedure. 21. On 17 June 2024, the Litigation Chamber received from the complainant some remarks relating to the minutes. These called for substantial changes to the minutes, which could not be made since the discussions had been closed at the end of the hearing. 22. On 3 July 2024, the Litigation Chamber informed the defendant of its intention to impose an administrative fine and the amount of the fine, in order to give the defendant the opportunity to defend itself before the penalty is actually imposed. 23. On 22 July 2024, the Litigation Chamber received the defendant's reaction regarding the intention to impose an administrative fine and the amount of the fine. The content of the defendant's reaction is summarised in points 85 et seq. II. Grounds II.1. As to the alleged violation of the right of access (Article 15 of the GDPR) II.1.1. As for the content of the follow-up granted to the right of access by the defendant 24. The Litigation Chamber recalls that Article 4,1) of the GDPR defines personal data as "any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to his physical, physiological, genetic, mental, economic, cultural or social identity; […]". 25. Processing of personal data means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. 3GDPR, Art. 4.2. Decision on the merits 107/2024 — 6/21 26. Under Article 15.1 of the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Where this is the case, the data subject has the right to obtain access to said personal data as well as to a series of information listed in Article 15.1 a) to h) such as the purpose of the processing of his/her data, the possible recipients of his/her data as well as information relating to the existence of his/her rights, including the right to request the rectification or erasure of his/her data or the right to file a complaint with the DPA. 27. The third paragraph of Article 15 specifies that “the data controller shall provide a copy of the personal data being processed. […]”. This paragraph enshrines one and the same right with the first paragraph of the same article. Furthermore, it is clear from the case law of the CJEU that this right implies the possibility for the person concerned to obtain "the reproduction of extracts from documents or even entire documents or extracts from databases […]" if this proves essential. However, the reading of this right cannot be dissociated from that of Article 15.4 which provides that a balance must be made with the rights and freedoms of others, where appropriate. 28. The Litigation Chamber recalls that the right of access constitutes an essential requirement of the right to data protection, since it constitutes the “gateway” that allows the exercise of the other rights conferred by the GDPR on the data subject.6 29. In the present case, it appears that the complainant exercised his right of access on 25 January 2022, a request to which the defendant responded on 28 March 2023 by providing the complainant with a partially anonymised version of the activity logs relating to his contract spanning the whole of 2021. The defendant adds in its submissions that the complainant had already asked questions similar to those in his request for access in the context of the mediation procedure (see point 4), which ended on 27 August 2021, it being understood that the Ombudsman considered that all the information useful had been communicated to the complainant. 30. In this regard, it must be clarified that in no way could a data controller be discharged from its obligation to follow up on the exercise of the right of access on the sole ground that the complainant already had the requested information prior to the exercise of said right. Article 12.5 does provide that it may in particular be refused to comply with the exercise of one of the rights referred to in Articles 15 to 22 of the GDPR where the request of the data subject is manifestly unfounded or excessive, however none of these 4CJEU, judgment of 4 May 2023, Österreichische Datenschutzbehörde, C-487/11, paragraph 32. 5 CJEU, judgment of 12 January 2023, Österreichische Post AG, C-154/12, paragraph 41. 6CJEU, judgment of 12 January 2023, Österreichische PostAG, C-154/12, paragraphs 37 and 38; CJEU, judgment of 20 December 2017, Nowak, C-434/16, paragraph 57 ;CJEU,judgmentof17July2014,YSetal.,C-141/12andC-372/12,paragraph44;CJEU,judgmentof7May2009,Rijkeboer, paragraph52.Decisiononthesubstance107/2024 — 7/21 twoexceptionswerenotinvokedbythedefendant.Inanycase,theuseofoneoftheseexceptionsmust,underArticle12.4oftheGDPR,benotifiedtothedata subjectas soonaspossible,andatthelatest“withinonemonthofreceiptoftherequest […]”–this being absent from the exchanges between the complainantandthedefendant. 31. Concerning the content of the follow-up given to the request for access, the complainant stated in his submissions that he remained dissatisfied (a) in that he had not obtained additional explanations as to the purposes of the processing carried out by the employees of the defendant, and (b) in that he had not obtained the identity of the employees of the defendant who had carried out the said processing. However, the complainant explicitly stated during the hearing held on 31 May 2024 (see point 18) that he was satisfied with the response that the defendant sent him following his request for access made on 25 January 2022 – but not with the manner in which the response was delivered to him. The Litigation Chamber nevertheless considers it important to carry out the examination below, since it is in no way relieved of the examination of compliance with the GDPR by the fact that part of the complaint has become moot. a) Access to the purposes of the processing 32. On the one hand, it is clear from the documents in the case that the defendant communicated a partially anonymized version of the activity logs covering the whole of 2021 relating to the complainant's contract dated 28 March 2023. In addition, the complainant stated that he was satisfied with the data he received following the email of 28 March 2023. 33. It therefore appears to the Litigation Chamber that the complainant's request relating to the purposes of the processing has been exhausted. b) Access to the identity of employees who carried out the processing 34. On the other hand, the Litigation Chamber notes that the defendant refused to grant access to the personal data relating to its employees (see points 7 and 16) – request made on 25 January 2022 by the complainant. 35. The Litigation Chamber recalls in this regard that the personal data of employees do not constitute personal data of the data subject, 8 which therefore places them outside the scope of Article 15 of the GDPR. However, recital 63 of the GDPR specifies that this cannot lead a data controller to “refuse any communication of information to the data subject.”. 7Decision of the Contentious Chamber 63/2020 of 22 September 2020, paragraph 16. 8CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 83. Decision on the merits 107/2024 — 8/21 36. Furthermore, it is also clear from the case-law of the CJEU that, given the essential role that the right of access plays for data subjects, the latter may access the personal data of employees of a controller who has processed their personal data if this proves necessary for the exercise of the 9 other rights guaranteed to them by the GDPR. Furthermore, a balance must be struck between the right of access of the data subject in question and – as set out in Article 15.4 of the GDPR – the rights and freedoms of others (corresponding, in this case, to the employees of the defendant). 37. The Litigation Chamber further specifies that the CJEU makes a distinction between an employee who acts according to the instructions and under the authority of his employer, and an employee who acts outside the instructions and authority of his employer – the former benefiting from greater protection of his identity than the latter. However, this distinction has no impact in the present case. 38. Indeed, the Litigation Chamber notes that the complainant does not demonstrate, in his submissions, any interest in obtaining the identity of the employees who have mistakenly processed his personal data. Furthermore, the complainant indicates in his submissions that he has an interest in knowing the purposes of the processing of his personal data, but not necessarily the identity of the employees who carried out this processing. During the hearing held on 31 May 2024, the complainant stated that he had no interest in accessing the purposes of the processing of his data, nor in the identity of the employees who carried out the processing. 39. Consequently, the Litigation Chamber considers that the rights and freedoms of the defendant's employees prevail over the complainant's right to access their identity. 40. In any event, the Litigation Chamber recalls, emphasizing the reasoning given by the defendant, that the defendant's employees cannot be considered as recipients within the meaning of Article 15.1.c) of the GDPR. 41. Consequently, the complainant's initial request – relating to the identity of the defendant's employees – cannot be granted on the basis of this provision. II.1.2. As for the modalities relating to the exercise of the right of access (Articles 12.2, 12.3 and 15 of the GDPR) 42. Under Article 12.1 of the GDPR, it is up to the data controller to take " appropriate measures to provide any information referred to in Articles 13 and 14 as well as 9CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 83. 10 Ibid., paragraph 73; See also Decision of the Contentious Chamber 89/2023 of 28 June 2023, paragraph 22. 1CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 73. Decision on the merits 107/2024 — 9/21 to make any communication under Articles 15 to 22 and Article 34 concerning the processing to the data subject in a concise, transparent, intelligible and easily accessible manner, in clear and plain language [...]. ». 43. In addition, it is the responsibility of the data controller to facilitate the exercise of the rights of the data subject (Article 12.2 of the GDPR) and to provide him/her with information on the measures taken following a request made under Articles 15 to 22 of the GDPR, as soon as possible and in any event within one month of receipt of the request. Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months, taking into account the complexity and number of requests. In such a case, the data controller shall inform the data subject of this extension and the reasons for the postponement within one month of receipt of the request. 44. In its recital 59, the GDPR specifies that in order to facilitate the exercise, by the data subject, of the rights he or she enjoys under the same Regulation, "The controller should also provide the means to submit requests by electronic means, in particular when personal data are processed electronically." In this regard, the Litigation Chamber has already had the opportunity to state that "[i]n any event, the data subject should not be penalized in any way for not having sent his or her request to the correct address." 45. Furthermore, in its Guidelines 01/2022 on the right of access, the European Data Protection Board ("EDPB") explains that this possibility of extending the response deadline constitutes a derogation from the general rule and that it can only occur in certain circumstances on an exceptional basis. Furthermore, the EDPB notes that if a data controller is often forced to extend this period, this could indicate a failure in its procedure for processing access requests. 46. It follows from all this that the defendant has an obligation to follow up on the complainant’s exercise of the right of access under Article 15 of the GDPR in accordance with the terms of Article 12 of the GDPR, these two articles being intrinsically linked. 47. Based on the documents in the case file, the Litigation Chamber notes two things. On the one hand, it notes that in its response of 25 January 2022 to the complainant, the defendant stated that it did not have a dedicated email address for its DPO. Furthermore, in a response of 13 1Decision of the Disputed Chamber 41/2020 of 29 July 2020, paragraph 83. 13EDPB, Guidelines 01/2022 on data subject rights - Right of access, of 28 March 2023, paragraph 162, available at: https://edpb.europa.eu/system/files/2023-04/edpb guidelines 202201 data subject rights access v2 en.pdf Decision on the merits 107/2024 — 10/21 March 2022, the defendant informed the complainant that its request for access falls outside its scope of intervention. 48. In this way, the Litigation Chamber concludes that the defendant did not facilitate the exercise of the rights of the data subject in accordance with Article 12.2 of the GDPR in that although there was an electronic communication channel, it was not able to respond to the complainant’s request or to redirect it to – for example – its DPO as it should have done in order to guarantee the full effectiveness of Article 12.2 of the GDPR and therefore, of Article 15 of the GDPR exercised by the complainant. In other words, the defendant did not offer the complainant responses or processing of his request of sufficient quality. This finding cannot be altered by the fact that the DPO’s email address was included, at the time of the facts, in the defendant’s privacy policy. 49. Furthermore, regarding the communication channel used during the exchanges between the complainant and the defendant between 25 January 2022 and 13 March 2022, the Litigation Chamber wishes to point out, for information purposes only and without this constituting any position on its part that could result in a sanction, that the defendant must, in addition to guaranteeing that the responses given to the complainants via the Facebook chat are of sufficient quality, ensure that this communication channel meets the appropriate security requirements as defined in Articles 5.1.f), 24, 25 and 32 of the GDPR. 50. On the other hand, and as already mentioned above (see point 29), it notes that the complainant exercised his right of access on 25 January 2022 – a request to which the defendant responded in a useful manner on 28 March 2023, i.e. during the course of these proceedings. 51. The complainant insists in his submissions on the fact that his request for access was responded to more than 14 months late. 52. The defendant, without denying the delay with which it responded to the complainant’s request for access, notes that sanctions could not be imposed on it on the sole basis of the breach of Article 12.3 of the GDPR. 53. In this regard, and without ignoring the judgments of the Court of Markets 2019/AR/1006 of 9 October 2023 and 2019/AR/1234 of 23 October 2023, the Contentious Chamber nevertheless emphasizes that the exercise of the rights of data subjects can only be truly effective if the data controller is required to respond to the exercise of such rights within a reasonable period, which has been set by the European legislator at one month, with certain exceptions. To assert the opposite would amount to allowing the data controller not to react or to react too late in such a way that the exercise of the right by the data subject would prove to be totally futile. Decision on the merits 107/2024 — 11/21 Article 12 of the GDPR is, like the rights of the data subject enshrined in Chapter III of the GDPR, also explicitly sanctioned by Article 83.5 b) of the GDPR 14 without Article 12.3. being excluded. It is useful to specify that Article 83.5.b) of the GDPR dedicates the higher level of sanctions referred to in Article 83 of the same Regulation. 54. The Litigation Chamber notes that the violation of Articles 12.3 and 15 of the GDPR is undeniable, in that the defendant does not dispute having responded to the complainant's request for access 14 months late. By responding to the complainant’s request for access well beyond the deadline set by Article 12.3 of the GDPR, the defendant was guilty of a continuous violation of the complainant’s right of access for 14 months. 55. By way of conclusion, the Litigation Chamber concludes that the defendant violated Articles 12.2, 12.3 and 15 of the GDPR in that the complainant only obtained a response to his request for access after more than 14 months’ delay from the defendant, in particular because it did not facilitate the exercise of the complainant’s right of access. Furthermore, the Litigation Chamber points out that this response was granted to the complainant in the context of the exchange of submissions between the parties in the present proceedings, without which the violation of the complainant’s rights would likely have continued. However, the finding relating to Articles 12.2 and 12.3 is not taken into account in determining the penalty it being understood that these two provisions were not included in the letter by which the Litigation Chamber invited the parties to conclude (see point 10). II.2. As for the other complaints 56. The Litigation Chamber notes the parties’ arguments regarding the additional complaints relating to Articles 5, 6 and 7.1 of the GDPR. 57. However, and as recalled by the defendant in its submissions, the Litigation Chamber limited the scope of the discussions to Article 15 of the GDPR alone. Accordingly, it does not appear appropriate to examine these additional complaints, it being understood that the finding of the truth of one of them cannot serve as a basis for imposing sanctions against the defendant. III. Corrective measures and sanctions III.1. Range of sanctions 58. Under Article 100 of the LCA, the Litigation Chamber has the power to: 1° dismiss the complaint without further action; 14Group 29, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260, points 30-32 and 48. Decision on the substance 107/2024 — 12/21 2° order that there be no case to answer; 3° order a suspension of the decision; 4° propose a settlement; 5° issue warnings and reprimands; 6° order compliance with the data subject's requests to exercise their rights ; 7° order that the data subject be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of the processing; 9° order the processing to be brought into compliance; 10° order the rectification, restriction or erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of the accreditation of certification bodies; 12° impose periodic penalty payments; 13° impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the Public Prosecutor's Office of the Brussels King's Prosecutor, who shall inform him of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 59. As for the administrative fine that may be imposed in implementation of Article 83 of the GDPR and Articles 100, 13° and 101 LCA, Article 83 of the GDPR provides: "1. Each supervisory authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation, referred to in paragraphs 4, 5 and 6, are, in each case, effective, proportionate and dissuasive; 2. Depending on the specific characteristics of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58, paragraph 2, points (a) to (h), and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following: (a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them; (b) whether the breach was committed intentionally or negligently; (c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects; Decision on the merits 107/2024 — 13/21 (d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any previous relevant breach by the controller or processor; (f) the degree of cooperation established with the supervisory authority to remedy the breach and mitigate its possible negative effects; (g) the categories of personal data concerned by the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor has notified the breach; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same subject matter, compliance with those measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and (k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the infringement”. III.2. As to the imposition of an administrative fine 60. Article 58.2 of the GDPR grants supervisory authorities the power to take one or more corrective measures against controllers. In accordance with Article 58.2.i) of the GDPR, a supervisory authority may, depending on the circumstances of each case, impose an administrative fine in addition to or instead of the aforementioned corrective measures. 61. In this regard, Article 83.1 of the GDPR requires that a fine imposed by an authority must, in each case, be effective, proportionate and dissuasive. Article 83.2 of the GDPR sets out a number of criteria that must be duly taken into account in a specific case. In addition, the highest fine applies in accordance with Article 83.5.b) of the GDPR. Indeed, in the event of a violation of the rights of the data subject (in this case, the right of access guaranteed by Article 15 GDPR), the Litigation Chamber may impose an administrative fine of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide annual turnover for the previous financial year, whichever is the highest. Decision on the merits 107/2024 — 14/21 62. A penalty imposed by the DPA in the form of a fine must be adequately justified, the size of this penalty must, on the one hand, take into account the circumstances of the individual case and, on the other hand, be proportionate to the infringement found as well as to the status of the perpetrator of the infringement and his financial situation. However, no legal provision requires the Contentious Chamber to rule on all the criteria provided for in the aforementioned Article 83 of the GDPR, nor to indicate the numerical elements relating to the method of determining the amount of the penalty imposed. The justification of the fine on the basis of a detailed summary of each element taken into consideration for the determination of the fine is therefore optional, but was carried out in this case. 63. In the present case, the administrative fine is justified by the fact that the defendant, whose turnover is established at (…EUR) for the year 2023, violated Article 15 of the GDPR for a period of 14 months. This violation was caused by the failure of two employees of the defendant to properly handle the request for access made by the complainant, thus denoting serious negligence – and this despite the fact that the processing of personal data constitutes one of its core activities. Furthermore, the Litigation Chamber takes into account the fact that although the defendant eventually gave a satisfactory response to the complainant’s request for access, this response took effect during the exchange of submissions between the parties. These elements – further developed below – justify imposing an administrative fine, rather than a lower penalty such as a warning or reprimand. III.2.1. Calculation of the basic amount 64. Nature, gravity and duration of the violation (Article 83, paragraph 2, point a) of the GDPR) – First, the Litigation Chamber notes that the defendant infringed the complainant’s right of access. In addition to Article 15 of the GDPR, the right of access is also included in Article 8.2 of the European Charter of Fundamental Rights and therefore constitutes one of the essential elements of the fundamental right to data protection; in other words, this is the "gateway" that strengthens the control of the persons concerned over the data 15 In this sense, the decision of the French Council of State, 10th-9th joint chambers, 14/05/2024, 472221, states that "8. It follows from the preceding provisions that, in the event that the legality of an administrative decision is based on taking into account a certain number of considerations, compliance with the requirement of motivation that they provide for does not lead its author to having to state only those on which the decision he has taken is based. Furthermore, there is no provision that the restricted formation of the CNIL should provide an explanation of the amount of the penalties it imposes. It follows that the restricted formation of the CNIL, which neither had to rule on all the criteria provided for in Article 83 of the aforementioned GDPR, nor to indicate the figures relating to the method of determining the amount of the penalty imposed, but in particular based itself precisely on the criteria provided for in a and k of 2 of Article 83 of the GDPR as well as on the business model of the applicant company and the weight it represents in its economic sector, did not provide insufficient reasons for its decision", and "11. The restricted formation of the CNIL, in imposing a fine of 3 million euros, complied with the rules set out in Article 20 of the Law of 6 January 1978, cited in point 9. Furthermore, there is no provision, as stated in point 8, that it should provide an explanation of the amount of the penalties it imposes. Consequently, the restricted formation of the CNIL did not disregard the principle of legality of offences and penalties". Decision on the merits 107/2024 — 15/21 concerning and allows the exercise of other rights conferred on the person concerned by the GDPR, such as the right to object and the right to erasure. 65. The effectiveness of the right of access is guaranteed by the terms set out in Article 12 of the GDPR, which is intrinsically linked to Article 15 of the GDPR, among others. Therefore, by giving satisfactory response to the complainant’s request for access only 14 months after the date on which the complainant exercised his right of access, the defendant was guilty of a continuous violation of Article 15 of the GDPR for more than 14 months. 66. Secondly, concerning the seriousness of the violation, the Litigation Chamber notes first of all that the defendant is a telecommunications company, and that the processing of personal data therefore constitutes one of its core activities. Also, and as set out in the paragraphs above, there was a continuous violation of Article 15 of the GDPR for 14 months, which is the gateway to the exercise of other rights. 67. Thirdly, as for the duration of the violation, it continued for more than 14 months. Article 12.3 of the GDPR provides that the controller must respond “as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests.” In this regard, the Disputes Chamber specifies, on the one hand, that the aforementioned extension of the deadline should only be used exceptionally – which could otherwise indicate the need for the data controller to develop its procedures for handling requests – and, on the other hand, that the data controller must respond to a request for access within a period of less than one month if it is able to do so. 68. Deliberate or negligent nature of the violation (Article 83, paragraph 2, point b) of the GDPR) – A distinction is made between a violation caused by negligence and a violation caused deliberately. The deliberate nature of a violation implies the meeting of two conditions, namely knowledge of a violation as well as the will to cause it. Negligence is defined, a contrario, by the absence of intentionality in the commission of the offence, although the principle of diligence was not respected. 69. The Litigation Chamber specifies that a high threshold is set to consider a violation as being deliberate. In addition, negligence can also be assessed by degrees. 70. In the present case, there is no intentionality in the breach committed under Article 15 of the GDPR. However, in view of the financial and human capacities of the defendant, as well as the fact that the processing of personal data constitutes one of the core activities of the defendant, the Litigation Chamber considers that the defendant committed serious negligence. This is all the more true since the inability to know how to respond to a request for access issued by the complainant was manifested among two employees of the defendant. 71. Categories of personal data concerned by the violation (Article 83, paragraph 2, point g) of the GDPR) – It does not appear from the documents in the case file that any data other than identification data were processed by the controller. 72. Classification of the seriousness of the violation and determination of the appropriate starting amount – The assessment of the above elements – namely the nature, seriousness and duration of the violation, as well as the deliberate or negligent nature of the violation and the categories of personal data concerned – makes it possible to determine the degree of seriousness of the violation as a whole. According to this assessment, the seriousness of the violation can be described as “low”, “medium” or “high”. 73. In this case, it should first be noted that the violation of Article 15 is among the violations listed in Article 83.5 of the GDPR, thus falling under the higher level of Article 83 of the same Regulation. It should also be noted that the processing of personal data that motivated the complainant to exercise his right of access constitutes one of the core activities of the defendant. In addition, the complainant received a response more than 14 months after exercising his right of access, and this during the exchange of submissions in the present procedure. However, it does not emerge from the case that data other than identification data were processed by the defendant. Furthermore, the violation concerns only the person of the complainant. In addition, the damage suffered by the latter is low, given that he already had part of the answers he requested from the defendant and that he did not have the right to access other information requested, namely the identity of the employees who processed his personal data. In any event, the violation committed by the defendant is the result of gross negligence on its part. 74. In light of the elements set out above, the Litigation Chamber concludes that the violation found is of low gravity. Therefore, for the calculation of the subsequent amount, a starting amount of between 0% and 10% of the maximum legal amount provided for in Article 83.5 of the GDPR will be set. 75. The turnover of the defendant amounting to (…) EUR for the year 2023, the Litigation Chamber establishes as the basic calculation amount the sum of EUR 100,000. Decision on the merits 107/2024 — 17/21 III.2.2. Mitigating and aggravating circumstances 76. Measures taken to mitigate the damage suffered by the complainant (Article 83.2.c) of the GDPR) – As regards the measures taken to mitigate the damage suffered by the complainant, the Litigation Chamber acknowledges that the defendant eventually provided a complete and satisfactory response to the complainant. However, it cannot be ignored that this response was provided after the parties had been invited to submit their submissions. 77. Degree of responsibility of the defendant taking into account the technical and organisational measures implemented in accordance with Articles 25 (Article 83.2.d) of the GDPR) – The Litigation Chamber, assessing the level of responsibility of the defendant, notes that the latter is fully responsible for the management of the requests of data subjects that it receives, including the right of access. 78. This responsibility encompasses various aspects, in particular the efficiency of the execution of requests, the definition of specific codes to respond appropriately to requests made under Articles 15 to 22 of the GDPR, as well as the understanding and implementation of clear and effective procedures by all staff, from managers to internal staff. 79. The Litigation Chamber notes that the defendant had at the time of the facts a point of contact with its data protection officer. This did not, however, prevent the complainant’s request for access from being properly followed up more than 14 months after it was made, particularly because the defendant did not forward the complainant’s request to its DPO, and even wrongly declared to the complainant that it did not have a DPO contact point. 80. Previous violations committed by the data controller (Article 83.2.e) of the GDPR) – The Litigation Chamber did not find any violation of Article 15 of the GDPR previously committed by the defendant, or any other violation that would be relevant in this case. This criterion is then deemed neutral, it being understood that compliance with the standards of the GDPR is the norm. 81. Degree of cooperation with the supervisory authority (Article 83.2.f) of the GDPR) – The Litigation Chamber notes that the defendant has been fully cooperative towards it. This criterion is deemed to be neutral, since it is a general duty established by Article 31 of the GDPR. 82. Manner in which the supervisory authority became aware of the violation (Article 83.2.h) of the GDPR) – The Litigation Chamber became aware of the violation through a complaint. This criterion is deemed to be neutral. Decision on the merits 107/2024 — 18/21 83. Any other aggravating or mitigating circumstance (Art. 83.2.k) of the GDPR) – No other aggravating or mitigating circumstance emerges from the present case. III.2.3. The effective, disproportionate and dissuasive nature of the fine 84. A fine is considered effective if it achieves its objectives, such as restoring compliance with the rules and sanctioning unlawful conduct. In this case, the fine aims to sanction the negligent and serious conduct of the defendant. In addition, it aims to deter other similar violations in the future. The prolonged violation of the complainant’s fundamental rights, despite the complainant’s request for access and multiple reminders, demonstrates the need for a firm response from the Litigation Chamber. In this case, the defendant, with a turnover of more than (… euros), can bear a fine of EUR 100,000 (less than 0.01% of the turnover) without compromising its economic viability. The Litigation Chamber sought a dissuasive final fine amount, in order to prevent the defendant from repeating the violation of the GDPR rules. In addition, it also seeks to deter other companies from committing similar violations. III.2.4. Reaction of the defendant to the sanction form 85. As a preliminary point, the defendant highlights the circumstances of the present case. It states that this is a one-off and isolated infringement, but not an infringement that would be systemic in nature. This violation would have its source not in deliberate intent or serious negligence, but in simple negligence. It adds that the number of persons affected by the violation is limited to the single complainant, the latter having suffered extremely limited harm – this is justified in particular by the fact that the violation of the GDPR committed concerns only simple identification data. In this regard, the defendant notes that although the right of access constitutes the "gateway" to the exercise of the other rights conferred by the GDPR, the complainant did not exercise these same rights after obtaining a response to his request for access on 28 March 2023. In any event, the defendant notes that it has corrected the violation it committed, and has implemented additional internal measures, including training in its customer service to enable employees working there to better recognise access requests, but also to better process them. Finally, the defendant argues that it receives an average of 150 requests for access per year, and that, consequently, it is possible that requests are answered beyond the deadlines provided for in Article 12.3 of the GDPR due to the occurrence of human errors. 86. The defendant contests (i) the choice to impose an administrative fine and (ii) its amount. Decision on the merits 107/2024 — 19/21 (i) Concerning the choice to impose an administrative fine 87. On the one hand, the defendant recalls the judgments of the Market Court by which the latter held that the sole violation of the time limits established by Articles 12.3 and 12.4 of the GDPR cannot justify the imposition of a sanction. 88. On the other hand, the defendant denounces a disproportion between the choice to impose an administrative fine and the facts presented above. The defendant states that the Litigation Chamber has a wide range of sanctions at its disposal. However, it considers that the Litigation Chamber would not justify the reason why the imposition of an administrative fine would be necessary in this case, and the reason why other sanctions, such as a reprimand or warning, would not be appropriate. (ii) The amount of the administrative fine 89. In the final analysis, the defendant considers that the amount of the fine is totally disproportionate to the seriousness of the facts of the case. III.2.5. Final amount of the fine 90. In light of the defendant’s reaction, the Litigation Chamber decides to maintain the amount of the fine as communicated to the defendant on 3 July 2024, namely EUR 100,000. 91. The defendant in fact asserts as new elements only the fact of having adopted additional measures internally in order to prevent such a violation from recurring in the future, and the information relating to the number of requests for access that it receives on average per year (150). 92. First of all, the Litigation Chamber notes that the organisation of adequate training for staff in order to enable them to better handle requests to exercise the rights of data subjects is what is expected of a data controller, particularly when it occupies such a position in the market. Since compliance with the GDPR is the norm, this element cannot be assessed other than as a neutral criterion. 93. Furthermore, the Litigation Chamber wishes to emphasise that the processing of personal data is a core activity of the defendant, and that in view of its sector of activity, its size and the number of clients whose personal data the defendant processes, the risks arising from this are all the higher. Consequently, the defendant must be more vigilant with regard to the protection of personal data, and to adopt robust procedures in order to guarantee compliance with the Decision on the merits 107/2024 — 21/21 In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, with the Market Court (Brussels Court of Appeal), with the Data Protection Authority as the defendant. Such an appeal may be filed by means of an interlocutory application which must contain the 18 information listed in Article 1034ter of the Judicial Code. The interlocutory application must be 19 filed at the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code). (sé). Hielke H IJMANS President of the Litigation Chamber 18The application must contain, under penalty of nullity: 1° the indication of the day, month and year; 2° the surname, first name, address of the applicant, as well as, where applicable, his/her qualifications and his/her national register number or company number; 3° the surname, first name, address and, where applicable, the qualifications of the person to be summoned; 4° the subject and summary of the grounds of the application; 5° the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 19 The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.