APD/GBA (Belgium) - 27/2023
APD/GBA - 27/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 15(1) GDPR Article 34(1) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 03.03.2020 |
Decided: | 13.03.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 27/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | GBA (in FR) |
Initial Contributor: | kv33 |
The Belgian DPA reprimanded a landlord for not answering an access request within the deadline, in violation with Article 15 GDPR.
English Summar
Facts
This decision concerned a landlord (controller) who did not respond to an access request of a tenant (data subject).
On 2 December 2019, the data subject filed an access request with the controller.
On 31 December 2019, almost one month later, the controller notified the data subject that it would use the possibility in Article 12(3) GDPR to extent the normal deadline of one month with two additional months
On 3 March 2020, the data subject filed a complaint with the Belgian DPA against the controller because no answer had been provided at that point.
On 2 September 2020, almost 10 months after the data subject had filed the original access request, the controller provided a reply. However, the data subject complained that the controller had not answered all the questions of the data subject. These questions concerned the existence of possible leaks of personal data, the security protocols of the controller and, lastly, the security and organisational measures relating to processing by the controllers employees or contractors. The controller refused to answer these questions because these would not fall within the scope of Article 15(1) GDPR and the controller was therefore not obligated to answer these questions.
On 29 September 2020, the controller clarified its position to the DPA. The controller acknowledged that no answer had been provided to the data subject. This was because the controller's employee in charge of the data subjects file had been on a long term sick leave. The access request was then simply forgotten, according to the controller.
Holding
The DPA first reiterated the legal requirements of Article 15 GDPR. In particular, the DPA stressed the importance of the right of access under Article 15 GDPR, since this right allowed data subjects to check the lawfulness of each processing activity and, if necessary, to have the processed personal data rectified or deleted.
Assessing the facts of the case, the DPA confirmed that the controller did not respond to the access request within the provided deadline, also not after the extension. The DPA rejected the explanation of the controller why it had not replied to the request. The fact that the responsible employee had been on long term sick leave and the fact that the access request was then simply forgotten was not a valid exoneration for the controller to not fulfill its obligations towards the data subject. This practice constituted a breach of Articles 15(1), 12(3) and 12(4) GDPR. The DPA reprimanded the controller for these violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/7 Litigation Chamber Decision on the merits 27/2023 of 13 March 2023 File number: DOS-2020-01123 Subject: Lack of satisfactory response to the exercise of the right of access The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman, and Messrs. Yves Poullet and Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter "GDPR"; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: X, hereinafter “the plaintiff”; The defendant: Y, hereinafter: "the defendant". Decision on the merits 27/2023 – 2/7 I. Facts and procedure 1. On March 3, 2020, the complainant lodged a complaint with the Data Protection Authority given against the defendant. The subject of the complaint concerns the lack of a satisfactory response to the exercise of the right complainant's access, outside the extended two-month period. On December 2, 2019, the plaintiff exercised his right of access to the defendant, his former owner. The defendant notified him on December 31, 2019 of the extension of the two month response. The defendant did not subsequently respond to the plaintiff's request as September 2, 2020. 2. On March 9, 2020, the complaint was declared admissible by the Front Line Service on the basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber pursuant to Article 62, § 1 of the LCA. er 3. On September 18, 2020, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and of article 98 of the LCA, that the case can be dealt with on the merits. 4. On August 18, 2020, the parties concerned are informed by registered letter of the provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their conclusions. For findings relating to the subject of the complaint, the deadline for receipt of conclusions in response of the defendant was set for September 29, 2020, that for the complainant's submissions in reply to October 20, 2020 and finally that for the submissions in reply of the defendant on November 10, 2020. 5. On August 19, 2020, the Complainant agrees to receive all communications relating to the matter electronically. 6. On August 26, 2020, the defendant agrees to receive all communications relating to the case electronically and expresses its intention to make use of the possibility of being heard, this in accordance with article 98 of the LCA 7. On September 29, 2020, the Litigation Chamber receives the submissions in response from the defendant with regard to the findings relating to the subject-matter of the complaint. There defendant does not contest the lack of response to the exercise of the right of access by the complainant. The defendant would have consulted lawyers in order to provide an answer satisfactory to the complainant. The response would never have been sent due to the absence of one of its employees. The complainant's request was then forgotten, but a response was finally brought on September 2, 2020. Decision on the merits 27/2023 – 3/7 8. On October 9, 2020, the Litigation Chamber received the conclusions in response from the complainant. The complainant emphasizes the lateness of the response. Moreover, the defendant refused to answer some of his questions. 9. On November 10, 2020, the Litigation Chamber receives the submissions in reply from the of the defendant concerning the findings relating to the subject matter of the complaint. There defendant repeats that forgetting to answer was not voluntary. The defendant has actually refused to answer part of the complainant's questions because she would not not legally obliged to respond under Article 15 of the GDPR. 10. On February 8, 2023, the parties are informed that the hearing will take place on 02/24/2023. 11. On February 24, 2023, the parties are heard by the Litigation Chamber. 12. On March 2, 2023, the minutes of the hearing are submitted to the parties. Bedroom Litigation did not receive any remarks from the defendant relating to the minutes that she decides to resume its deliberation. II. Motivation II.1. On the violation of the right of access (articles 15.1, 12.3 and 12.4 of the GDPR) II.1.1. Content and scope of the right of access 13. In its capacity as data controller, the defendant is required to comply with the data protection principles and must be able to demonstrate that these are respected. It must also implement all the necessary measures for this purpose. (principle of responsibility – articles 5.2 and 24 of the GDPR). 14. The right of access has three components. First, under Article 15.1 of the GDPR, the data subject has the right to obtain from the controller confirmation that personal data concerning him are or are not processed. Secondly, when there is processing of personal data, the person concerned has the right to obtain access to said personal data as well as to a series of information listed in Article 15.1 a) - h) such as the purpose of the processing of its data, the possible recipients of his data as well as information relating to the existence of his rights, including the right to request the rectification or erasure of his data or that of filing a complaint with the DPA. Third, under 15.3 GDPR, the data subject also has the right to obtain a copy of the personal data which is the subject of the processing. Article 15.4 of the GDPR provides that this right to copy may not infringe the rights and freedoms of others. Decision on the merits 27/2023 – 4/7 15. The Litigation Chamber emphasizes the importance of respecting the right of access of persons concerned. This right allows data subjects to control the legality of each processing activity and, where appropriate, to have the personal data rectified or erased staff processed. II.1.2. Terms of the right of access 16. Article 12 of the GDPR relating to the procedures for exercising their rights by persons concerned provides that the controller must facilitate the exercise of their rights by the data subject (article 12.2 of the GDPR) and provide them with information on the measures taken following his request as soon as possible and at the latest the period of one month from its request (article 12.3 of the GDPR). For more requests complex, or when the controller receives a large number of requests, this initial period of one month can be extended by two months (article 12.3 of the GDPR). When the data controller does not intend to respond to the request, he must notify its refusal within one month accompanied by the information that a appeal against this refusal may be lodged with the supervisory authority for the protection of data (12.4 GDPR). II.1.3. As for the defendant's belated response to the exercise of the right of access by the plaintiff 17. It appears from the documents in the file that the complainant did indeed exercise his right of access to the defendant on December 2, 2019. On December 31, 2019, the defendant notified the complainant of the extension of its two-month deadline for reply. The defendant did not however, did not respond within this two-month period: the complainant only received a response in September 2020. The Litigation Chamber also notes that the defendant has not followed up on the complainant's request that shortly after receiving a letter from the Litigation Division, informing the parties of a procedure on the merits. There Nor does the defendant dispute the absence of a satisfactory response from it. 18. To explain this delay, the Respondent indicates that it intended to respond to the plaintiff's request, but, the employee responsible for processing the plaintiff's file being then absent due to long-term sick leave, no response was sent to the complainant. The plaintiff's request was then forgotten. This fortuitous circumstance cannot, however, exonerate a data controller from his obligations with regard to the persons concerned. It is therefore a violation on the part of the defendant of the articles 15.1, 12.3 and 12.4 of the GDPR. 19. The Litigation Division notes however, on the basis of the evidence provided by the defendant, that the defendant had indeed begun to prepare a response to the plaintiff with the help of lawyers. The defendant also claims to have adopted Decision on the merits 27/2023 – 5/7 organizational measures to guarantee access to the personal data of his clients. During the hearing, the defendant explained that it had created a mailbox where access requests from other data subjects are forwarded. This box of messaging is accessible to several employees of the defendant in order to prevent a request of this kind remains unanswered. The Litigation Chamber will take into take these elements into consideration when adopting a sanction. II.1.4. As for the defendant's incomplete response to the right of access of the plaintiff 20. In his submissions, the Complainant raises the fact that the Respondent refused to answer to some of the complainant's questions. These questions concerned the existence possible leaks of the complainant's data following security flaws, the protocols information security measures adopted by the complainant as well as the security and organizational arrangements relating to the processing of personal data by the employees or contractors of the defendant (respectively questions 7, 8 and 9 of the complainant). The defendant refused to answer these questions because the information requested would not fall within the scope of Article 15.1 of the GDPR. 21. Regarding the refusal to answer questions 8 and 9, a data controller is not not required to share information regarding security protocols and organizational measures because this information is not included in article 15, paragraph 1, items (a) to (h) or by Article 13, paragraphs 1 to 2. The defendant was therefore not required to answer questions relating to this information. 22. With regard to question 7, a data leak is defined by the GDPR as a data security breach. Under Article 34.1 of the GDPR, a data controller processing is only obliged to notify the data subject when “a breach of personal data is likely to create a high risk for the rights and freedoms of a natural person". It does not appear in any part of the file that such breach of the complainant's data has occurred. The defendant therefore did not have to answer to question 7. 23. The Litigation Chamber thus follows the reasoning of the defendant as it was not obliged to answer questions 7, 8 and 9 of the plaintiff. was therefore late but complete. 1 Art. 4.12 of the GDPR: “a breach of security resulting, accidentally or unlawful, destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data”. Decision on the merits 27/2023 – 6/7 24. Furthermore, the Litigation Division notes that, despite the absence of an obligation to respond to questions 7, 8 and 9, the defendant nevertheless provided the complainant with an answer to these questions from the hearing of February 24, 2023. III. Sanction 25. The Litigation Division notes that it is a question of the violation of Articles 15.1, 12.3 and 12.4 GDPR. Although the defendant responded to the exercise of the right of access of the complainant, it was found that breaches of the GDPR had taken place. of the right of access of data subjects is fundamental in the protection of data. 26. The Litigation Division considers that there are sufficient elements to formulate a reprimand, which constitutes a light and sufficient sanction in light of the violations of the GDPR observed in this file. When determining the penalty, the Chamber Litigation takes into account the fact that the defendant has rectified the situation and the efforts of the defendant to guarantee in the future the right of access of the persons concerned. IV. Publication of the decision 27. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority Datas. However, it is not necessary for this purpose that the identification data of the parties are communicated directly. FOR THESE REASONS, The Litigation Chamber of the Data Protection Authority decides, after deliberation: - Pursuant to Article 100, §1, paragraph 5° of the LCA, to issue a reprimand to towards the defendant as regards the violation of Article 15, paragraph 1, of Article 12, paragraphs 3 and 4, of the GDPR. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Decision on the merits 27/2023 – 7/7 Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 3 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sr.) Hielke H IJMANS President of the Litigation Chamber 2The request contains on penalty of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 3 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.