APD/GBA (Belgium) - 73/2023

From GDPRhub
Revision as of 07:56, 21 June 2023 by Ls (talk | contribs)
APD/GBA - 73/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 4(7) GDPR
Article 95, §1, 3° Loi portant création de l’Autorité de protection des données
Type: Complaint
Outcome: Rejected
Started: 23.02.2023
Decided: 12.06.2023
Published:
Fine: n/a
Parties: Commissariat Général aux Réfugiés et Apatrides (CGRA)
National Case Number/Name: 73/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autorité de protection des données (in FR)
Initial Contributor: Enzo Marquet

An employee using a personal phone to take pictures of an asylum seeker's social medias to use it in the asymum procedure is not violating the GDPR, even if the asylum office prohibited the use of private devices at work.

English Summary

Facts

During a hearing as part of an asylum application, an employee of the Office of the Commissioner General for Refugees and Stateless Persons (controller) took photographs with his private phone of social networks of the applicant (data subject). The photographs were added to his file.

The data subject was concerned whether this was standard practice and what happened with the pictures on the mobile phone. The CGRA responded to the data subject that the employee only had his best interests at heart i.e. an effective and swift procedure. Unsatisfied, the data subject filed a complaint with the Belgian DPA.

In its defense, the controller stressed that it provides its employees with work equipment and that there is no BYOD (Bring Your Own Device) policy. The usage of a private mobile phone was thus not allowed. It emphasised that this practice is neither widespread nor official and this has been communicated to the employee in question, as well as all other employees to prevent similar situations from occurring. The controller also added that the pictures were deleted immediately after the interviews.

Holding

The Belgian DPA established that the taking of photographs with a private phone constituted processing of personal data according to Article 4(1) and Article 4(2) and that the employer was the controller according to Article 4(7), regardless of the employee acting in breach or in compliance of internal procedures.

The DPA noted that the awareness measures to prevent further incidents constituted a good practice.

Concerning the use of private phone, the DPA stated that the implementation of BYOD for work related activities is not a problem per se but can present certain risks, a risk assessment is thus required, especially when dealing with personal data in a sensitive context, such as an asylum application.

In this case, the DPA concluded that nothing pointed towards a breach of the GDPR, regardless of the usage of personal equipment being against the controller's policy. The DPA reminded that the pictures were taken in favour of the data subject and were removed immediately from the personal device when retention was no longer required.

Based on the above, the DPA dismissed the complaint.

Comment

In another case, an employee was qualified as controller when breaching the employers' internal procedures, and processing data for private purposes : case 129/2021. The difference in this case is that the purpose of the processing was to perform the employer's activity.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/9



                                                                        Litigation Chamber


                                                            Decision 73/2023 of June 12, 2023



File number: DOS-2023-00901


Subject: Complaint relating to the taking of photographs with a mobile phone

personnel by an employee in the performance of his or her duties



The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke

Hijmans, President, sitting alone;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the

data protection), hereinafter GDPR;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);


Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to

processing of personal data (hereinafter LTD);

Having regard to the Rules of Procedure as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The plaintiff: Mr. X, hereinafter “the plaintiff”;


The defendant: The General Commissariat for Refugees and Stateless Persons (CGRA), whose headquarters

                       is established at 1070 Brussels (Anderlecht), rue Ernest Blérot, 39 and registered with the
                       Crossroads Bank for Enterprises (BCE) under number 0308.356.862, below

                       after "the defendant". Decision 73/2023 - 2/9



I. Facts and procedure


 1. The complaint concerns the taking of photographs by an employee of the defendant using

       his personal mobile phone during a hearing organized as part of the

       complainant's asylum application process.


 2. On February 23, 2023, the complainant filed a complaint with the Authority for the Protection of

       data (APD). He directs his complaint against the attaché in charge of contacts with lawyers

       (see also note 1).

 3. In his complaint, the Complainant states the following.


 4. During the month of November 2022, the complainant, accompanied by his counsel, was

       interviewed by the defendant. The plaintiff reports that during this interview, the police officer
                                           1
       protection (employee of the defendant) in charge of the plaintiff's file has, on 4 occasions with

       a cell phone, taken photographs of social media pages of members of

       the complainant's family and attach them to the file.

 5. Following this hearing, Counsel for the Complainant contacted the Respondent to inform

       of his astonishment at this taking of photographs and of what this practice

       seemed to violate applicable data protection regulations. THE

       plaintiff's counsel notes in this respect that "it is about the taking of a photo by mobile phone

       (professional or personal? [see below]) data of the applicant for protection

       international on the mobile phone of the applicant for international protection without having requested his

       prior consent and which concerns data of third parties”. In this same letter, the

       Counsel for the Complainant therefore also asks the question of the assets whether these photographs were

       taken with a private or professional mobile phone, if it is a practice

       generalized within the defendant and what happens to the photographs recorded on the

       mobile phone of the author of the photos.


 6. In December 2022, the defendant will, through the attaché responsible for contacts

       with the lawyers to whom counsel for the plaintiff had addressed, responded in the manner

       next :







1The protection officer and his function are described as follows on the CGRA website: https://www.cgra.be/fr/travailler-pour-le-cgra The protection officer

protection is the key figure in the fulfillment of the fundamental mission of the CGRS. He has a university education, is passionate about human rights and
international politics and has excellent writing skills. The protection officer develops in-depth knowledge of the countries of origin
applicants for international protection and regularly follows training in order to keep its expertise and the skills necessary for the exercise

of his function. The protection officer hears the applicant for international protection about all the elements contained in the file. He checks the
credibilityandexamineswhetherthereasonsfortherequestmeetthecriteriathatmayresultinthegrantingofprotectionstatus.Theprotectionofficerthen drafts
a duly substantiated proposal for a decision. Decision 73/2023 - 3/9



              “Master X,

              We would like to follow up on your intervention of […] November by informing you

              of what follows.


              It emerges from discussions with the protection officer who heard your client that he
              actually used his private phone to take photographs. He rocks

              that he has always been committed to strictly respecting confidentiality and data

              of the applicants. He had no other intention than to achieve

              efficient and rapid handling of the file for which he is responsible.

              The photographs taken were attached to the administrative file and deleted from

              his phone immediately after the November […] interview.


              However, this way of proceeding is incompatible with the modus operandi of the
              CGRS. The CGRS provides its employees with work equipment

              necessary for the performance of their professional duties. Therefore, take

              photos with an employee's private cell phone should not have happened. We

              insist on the fact that this is a practice at the CGRS which is neither generalized nor

              official.

              This was also communicated to the protection officer in question. And will be

              also communicated to other employees to prevent this situation from occurring.

              reproduce”.

 7. On February 23, 2023, i.e. the same day the complaint was filed, the Service de Première Ligne

       (SPL) of the DPA declares the said complaint admissible on the basis of Articles 58 and 60 of the LCA, and

       sends it to the Litigation Division in accordance with Article 62, § 1 of the LCA.


II. Motivation


 8. The Litigation Chamber notes, as already mentioned in point 1, that in its form

       of complaint, the complainant directs his complaint against the attaché in charge of contacts with

       lawyers. In his post-hearing letter (point 5), the complainant also seems

       directly implicate the protection officer who took the decision

       photographs during the hearing.

 9. The Litigation Chamber is of the opinion that this last employee of the defendant is not the

       controller in this case. Indeed, while it is undeniable that taking

       photographs of family members in the context described by the complaint is
       constituting a processing (article 4.2.) of personal data (article 4.1.) within the meaning of

       GDPR, the only circumstance that these photographs were taken by the employee in

       question does not make him a controller of said data within the meaning of Decision 73/2023 - 4/9



       section 4.7. of the GDPR. Furthermore, the fact that this employee took these photographs

       with his personal mobile phone, even in violation of the internal rules of application

       with the defendant, does not make him a controller within the meaning of this

       same item.


 10. The data controller is indeed defined therein as being “the natural person or

       legal entity, public authority, service or other body which, alone or jointly with

       others,determinesthepurposesandmeansofprocessing”.Article 4.7.further specifies

       that “when the purposes and means of this processing are determined by the law of

       the Union or the law of a Member State, the controller may be designated or the

       specific criteria for its designation may be provided for by Union law

       or by the law of a Member State".


 11. The Litigation Chamber is of the opinion that the employee concerned did not determine the purposes

       data processing. The processing complained of took place in the exercise of its

       function of protection officer of the defendant, in compliance with the missions legally

       assigned to the defendant. In this regard, the Litigation Chamber notes that the defendant

       has a privacy policy available on its website under the terms of

       which he identifies as data controller (see the section “Data of

       contact”) and under the terms of which it describes that in the context of the execution of

       legal, it processes personal data for the purpose of making decisions about

       applications for international protection/asylum as was the case in this case . 3


 12. The Litigation Chamber also considers that even if he certainly used his telephone

       personal mobile phone - and not a professional mobile phone - (i.e. a "means" in the

       of section 4.7. of the GDPR) apart, it seems, from the instructions given by the defendant to

       In this respect, this discrepancy does not, in this case, make him a data controller who would have

       determined the purposes (quod non – see point 11 above) and the means, these elements

       being cumulative. The present case should be distinguished from the situation in which an employee

       would divert the purpose determined by the data controller to substitute a


       own purpose, for example. The Litigation Chamber has thus already had the opportunity to

       requalify an employee as a data controller in cases where the latter had misappropriated

       access to the national register granted to him in the exercise of his functions for the
                                                        4
       consult for strictly personal purposes. The same applies to the subcontractor who







2Emphasis added by the Litigation Chamber.
3The basis for the lawfulness of the data processing carried out by the defendant does not therefore have to be based on the consent of the applicant for protection. Data such as
photographs of members of his family also become data concerning him as soon as he mentions them in the context of a hearing in support of his own request.
4See. for example decision 129/2021 of the Litigation Chamber, point 23 in fine: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-129-2021.pdf . See.
also decision 56/2021 of the Litigation Chamber, points 51 to 60 and the references cited: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-56-2021.pdf Decision 73/2023 - 5/9



       would go beyond the instructions received from the data controller and would pursue a

       own purpose. In this case, he is requalified as data controller.


 13. In the present case, this last scenario is also not applicable since the employee

       concerned is no more a subcontractor than he is a data controller. Bedroom

       Litigation recalls that is defined as a subcontractor within the meaning of Article 4.8. GDPR,

       “the natural or legal person, public authority, agency or other body which

       processes personal data on behalf of the controller”. THE

       processor is therefore, as underlined by the EDPS in its guidelines relating to the

       notions of data controller and processor in the GDPR already mentioned "a

       separate entity from that of the data controller”. The EDPS thus states that "for

       be considered a processor, two basic conditions must be met: a)

       be a separate entity from the controller and b) process personal data

       staff on behalf of the controller (point 76). The EDPS adds that "a

       separate entity means that the data controller decides to delegate all or part
                                                                                6
       processing activities to an external organization (point 77)”.

 14. It follows a fortiori from the foregoing that the defendant's attaché responsible for contacts

       with the lawyers and identified by the complainant as data controller under the terms

       of the complaint form (see note 1) is also not responsible for processing or sub-

       treating.


 15. If they are not responsible for processing or subcontracting, the above-mentioned employees shall not

       may be accused of breach(es) of the GDPR.


 16. These employees of the defendant are on the other hand “persons acting under the authority of the

       controller” within the meaning of Article 29 of the GDPR who, when they have access to

       personal data can only, except in exceptional cases, be processed on the instructions of the

       controller, or on the instructions of the defendant. In this regard, the Chamber

       Litigation notes that the defendant indicates that, following the facts complained of, he took

       awareness-raising measures for the employee concerned as well as for all

       personnel to prevent incidents such as the one denounced. This initiative is relevant.

 17. The Litigation Chamber will now examine whether a breach of the GDPR or the rules

       data protection with which the Litigation Chamber is required to ensure compliance

       must be found on the part of the defendant who assumes the quality of responsible

       treatment.





5.
 European Data Protection Board (EDPB), Guidelines 07/2020 on the notions of controller and processor in the GDPR
6ttps://edpb.europa.eu/system/files/202202/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, point 86.
 European Data Protection Board (EDPB), Guidelines 07/2020 on the notions of controller and processor in the GDPR
https://edpb.europa.eu/system/files/202202/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, page 4 of the French version and points 76-77. See. also Decision 175/2022 of the
Litigation Chamber. Decision 73/2023 - 6/9



 18. The Litigation Chamber recalls that the use of personal equipment by

       employees in the performance of their duties is a choice of the employer to authorize it

       or not, if necessary under certain conditions. In this case, we speak of BYOD, an acronym

       for “Bring Your Own Device” (in French: “Bring Your Personal Equipment from

       Communication" or AVEC), which designates the use of personal computer equipment

       in a professional context. This may be, for example, an employee who, in order to

       connect to the company network, use personal equipment such as their computer,

       his tablet or smartphone or, as in this case, the use of his telephone

       personal laptop for taking photographs to be attached in a file as

       evidence or documentation or the use of his telephone

       staff for computer testing.

 19. BYOD is not “personal data processing” per se. It's a

       particular technical means, by means of which data processing takes place

       applicable.


 20. The use of such personal equipment can certainly present increased risks,
                                                            7
       particularly in terms of data security and should be subject to an evaluation

       particularly vigilant in terms of risk. Without this constituting a
       any remedy or sanction within the meaning of Article 95 of the ACL, the Chamber

       Contentious recalls in this regard the importance of data security, a fortiori

       when sensitive data is regularly processed - as in the case of the

       defendant - by the very nature of the missions entrusted to it or more generally,

       when data processing (sensitive or not) takes place in a context

       delicate as that of obtaining a right or the request for recognition of a

       status (as in the present case) which may expose the person concerned or his entourage

       at risk.

 21. In this case, the defendant specifies that the use of personal equipment, such as a telephone

       personal laptop, by one of its employees in the exercise of its function, is contrary to the

       rules that it has in place. The use of their mobile phone by the employee concerned is

       an isolated fact contrary to the defendant's practices.


 22. However, as recalled in point 19, the use of his mobile phone

       personnel by the employee concerned, even in contravention of internal rules, is not

       constituting processing within the meaning of the GDPR. Nothing in the file attests to the fact that

       the processing of said data would also have taken place in violation of the rules of
       data protection. If, as the Litigation Chamber explained above, the appeal



7The CNIL recommends a certain number of good practices relating to the use of BYOD here: https://www.cnil.fr/fr/byod-quelles-sont-les-bonnes-pratiques.
See. also the work of the EDPS “Guidelines on the protection of personal data in mobile devices used by European institutions (December 2015), in particular points 90 and following
devoted to the specific risks of BYOD: https://edps.europa.eu/sites/edp/files/publication/15-12-17_mobile_devices_en.pdf Decision 73/2023 - 7/9



       to BYOD (whether in contradiction or in accordance with internal practices) increases

       potentially the risk of breaching the security of the data processed by means of such

       equipment, nothing in the file provides proof of a breach of the obligation

       security or any other breach of the GDPR. The defendant further clarified that

       thephotographsareimmediatelydeletedfromtheemployee's personal phone

       concerned.


 23. Based on the facts described in the complaint file as summarized above and the

       parts produced, and on the basis of the powers attributed to it by the legislator

       under article 95, § 1 of the LCA, the Litigation Chamber decides on the action to be taken

       case. In this case, the Litigation Chamber decides to proceed with the classification without

       following up on the complaint, in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out

       below.

 24. In matters of dismissal, the Litigation Chamber is required to justify its

       step-by-step decision and:


            - to pronounce a classification without technical continuation if the file does not contain or not

               sufficient elements likely to lead to a sanction or if it includes a

               technical obstacle preventing him from rendering a decision;


            - or pronounce a classification without further opportunity, if despite the presence

               elements likely to lead to a sanction, the continuation of the examination of the

               file does not seem to him to be appropriate given the priorities of the Autorité de

               data protection as specified and illustrated in the Privacy Policy

               dismissal of the Litigation Chamber. 9


 25. In the event of dismissal based on several grounds, the latter (respectively,

       classification without technical follow-up and classification without opportunity follow-up) must be
                                     10
       dealt with in order of importance.


 26. In this case, the Litigation Chamber decides to close the complaint without action on the grounds

       technical when it considers that no breach of the GDPR or the rules of

       protection of the data for which it cannot control, on the basis of grievances and documents

       produced in support of the complaint, be blamed on the defendant (criterion A.2. of the

       dismissal of the Litigation Chamber).



III. Publication and communication of the decision




8. Court of Markets (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p.18.
9. In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on the website of the Data Protection Authority:

https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf.
10Cf.Titre 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the classification policy without follow-up of the Litigation Chamber. Decision 73/2023 - 8/9




 27. Given the importance of transparency with regard to the process

       decision-making and the decisions of the Litigation Chamber, this decision will be published on the


       ODA website. However, for this purpose it is not necessary that the data

       identification of the complainant are mentioned.


 28. With regard to the identification of the defendant, the Litigation Chamber considers that the

       complete understanding of the decision - which one (without this being a criterion


       decisive) does not otherwise accuse the defendant of any breach - requires that

       the identity of the defendant is published. This depends on the specific nature of the defendant's mission,

       references cited relevant to the motivation of this decision and therefore to the effect

       useful transparency desired by the Litigation Chamber.



 29. In accordance with its policy of dismissal, the Litigation Chamber
                                                   11
       communicate the decision to the respondent. Indeed, the Litigation Chamber decided to

       communicate dismissal decisions to default defendants. There

       However, the Litigation Chamber refrains from such communication when the complainant


       requested anonymity vis-à-vis the defendant and when the communication of the decision to the

       defendant, even if pseudonymised, nevertheless risks being re-identified. 12

       This is not the case in the present case.






    FOR THESE REASONS,



    the Litigation Chamber of the Data Protection Authority decides, after deliberation,

    to close this complaint without further action pursuant to Article 95, § 1, 3° of the LCA.





In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,


within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be








11Cf.Titre 5 – Will the classification without follow-up be published? Will the opposing party be informed? of the classification policy without follow-up of the Contentious Chamber.
12.
  Ibidem.
1. The request contains on pain of nullity:
 (1) indication of the day, month and year;
 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or company number;

 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
 (4) the object and summary statement of the means of the request;
 (5) the indication of the judge who is seized of the application;
 6° the signature of the applicant or his lawyer. Decision 73/2023 - 9/9



                                                                                                       14
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).








(se). Hielke HIJMANS


President of the Litigation Chamber



































































14. The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.