APD/GBA (Belgium) - 29/2024

From GDPRhub
Revision as of 15:41, 20 February 2024 by Nzm (talk | contribs)
APD/GBA - 29/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 17(1) GDPR
Article 31 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.02.2024
Published:
Fine: 2,000 EUR
Parties: n/a
National Case Number/Name: 29/2024
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: nzm

A data subject lodged a complaint with the Belgian DPA after a controller failed to respond to his erasure request several times. When the controller finally removed the data subject’s data, the DPA considered that they should still assess whether there was a data breach or not.

English Summary

Facts

On March 2020, a data subject filed a complaint with the Belgian DPA (“APD”) concerning the online publication of his name, address and photograph on the controller’s website. This personal data was obtained during an on-site visit to the data subject’s home following an energy renovation. The data subject requested several times that the personal data concerning him be deleted and the controller indicated that they would comply, but the situation remained unchanged.

On 12 March 2020, the APD started a sanctioning procedure against the controller. On 15 February 2021, the APD ordered the controller to comply with the data subject’s request within a period of 14 days from the notification of the decision. The controller did not comply with the request. The APD therefore decided that the case was ready for a hearing and notified them of the time limits for submitting their defences under Belgian Law. The data subject indicated that they did not receive the conclusions of the controller and that the data was still available on their website. The APD asked the controller to indicated whether or not they wanted to conclude for which they granted an additional period of one week. The controller responded by stating that they wished to communicate via a different e-mail address, without indicating whether or not they wanted to conclude.

On 12 May 2021, the DPA adopted a new schedule of submissions which was sent to the new e-mail address, as per requested by the controller who failed to respond once again. The APD fixed a hearing date and the controller notified the DPA that they would not participate in the hearing because they considered that their presence was not a requirement as the facts were clear. On 6 December 2023, the DPA received a notification that the controller appointed a counsel and requested that the hearing be postponed as it was materially impossible to prepare for the hearing in such a short time frame. The APD granted the postponement and set a new hearing date for January 2024.

On 12 January 2024, the data subject indicated that his details were removed from the website and that the case should not be pursued. The controller therefore responded that pursuant to the data subject’s notice, the matter of the dispute was no longer meaningful.

Holding

Firstly, the DPA indicated to the parties that the hearing date would be maintained, considering that once the matter has been referred to a DPA, it is empowered to investigate in full independence the compliance with the GDPR, regardless of the withdrawal of the complaint by the data subject. The APD therefore considered that once a complaint is considered admissible by the APD, they must assess whether the related facts constitute a breach of GDPR.

Secondly, the APD considered that the controller was repeatedly given the opportunity to comply with Articles 12(3) and 12(4) GDPR because they received several requests from the data subject and an order by the APD but the situation remained unchanged. The APD considered that the corrective measure imposed by the previous decision was manifestly disregarded by the controller. The APD took several elements into account.

Regarding the seriousness of the breach, the APD indicated that the controller breached Articles 12(3), 12(4), 17(1) GDPR by failing to respond to the data subject’s request. The DPA added that the controller failed to comply with the duty to cooperate under Article 31 GDPR.

Regarding the duration of the breach, the DPA noted that the data subject filed its first request for erasure on 18 November 2018 and repeated it two times, but was left with no response until 12 January 2024.

Regarding the manner in which the controller reacted, the APD took into account the fact that the controller completely ignored the decision taken and maintained the data subject’s personal data online.

The APD concluded that these elements justified an effective, proportionate and dissuasive sanction under Article 83 GDPR and therefore imposed a €2,000 fine for breaching Articles 12(3) and 12(4) in conjunction with Article 17(1) GDPR, as well as Article 31 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/8



                                                                          Dispute Chamber


                                                 Decision 29/2024 of February 9, 2024


File number: DOS-2020-01312


Subject: Exercise of the right to erasure of data with regard to publication

of name, address and photo on website



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, chairman, and Messrs. Dirk Van Der Kelen and Frank De Smet, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;


Considering the documents in the file;



Has made the following decision regarding:


Complainant: Mr.


The defendant: Mr. Y, [address], [national register number], represented by Mr. Christian

                   Lemache, hereinafter “the defendant” Decision on the merits 29/2023 - 2/8


I. Facts and procedure


    1. On March 10, 2020, the complainant submits a complaint to the Data Protection Authority

        against defendant.

    2. The subject of the complaint concerns the online publication of the name, address and photo

        of the complainant on the defendant's website. The defendant has the relevant

        personal data of the complainant obtained in the context of an on-site visit at the

        complainant at home following an energetic renovation subsidized by the
        province. The defendant, in his capacity as a politician, proceeded to publish

        the complainant's details on his personal website. The complainant turned away several times

        to the defendant with the request to delete the personal data concerning him.

        Although the defendant indicates that he will comply with the complainant's request, the

        situation unchanged and the relevant details of the complainant are still available online
        consult the defendant's website.


    3. On March 12, 2020, the complaint will be declared admissible by the First Line Service on

        on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG

        transferred to the Disputes Chamber.

    4. On February 15, 2021, the Disputes Chamber will notify the parties of Decision 16/2021

        of February 9, 2021 in which the Disputes Chamber pursuant to Article 58.2, c) GDPR and Article

        95, §1, 5° WOG orders the defendant to comply with the request of the
        data subject to exercise his rights, in particular the right to erasure of data

        (Article 17.1 GDPR), and to erase the complainant's personal data, and

        this within a period of 14 days from the notification of the aforementioned

        Decision 16/2021.

    5. In the absence of any response to Decision 16/2021 by the defendant, the

        Disputes Chamber on March 10, 2021 on the basis of Article 95, § 1, 1° and Article 98 WOG that

        the file is ready for treatment on the merits and the parties involved will be notified by email

        notified by registered mail of the provisions referred to in Article 95, § 2,

        as well as those in Article 98 WOG. They are also registered on the basis of Article 99 of the WOG
        informed of the deadlines for submitting their defenses.


        The deadline for receipt of the defendant's statement of defense was

        recorded on April 21, 2021, this for the conclusion of the complainant's reply on 12
        May 2021 and this for the defendant's response on June 2, 2021.


    6. On May 5, 2021, the complainant indicated that he had not received any conclusions due to the

        defendant and, failing that, does not have the opportunity to rely on it
        replicate, but his data is still online on the website

        defendant. Decision on the merits 29/2023 - 3/8


7. On May 6, 2021, the Disputes Chamber will request the defendant to know

      indicate whether or not he wishes to conclude for which, if necessary, he will receive an additional one

      term of one week is granted. On the same date, the defendant only responds with

      the message that he wishes to communicate via another email address without any indication
      whether he will still conclude.


8. In the absence of any response from the defendant, the Disputes Chamber will set a date of May 12

      2021, a new claim calendar will be established, which will be delivered to the defendant on the

      email address requested by him. The deadline for receipt of the conclusion of
      the defendant's response was recorded on June 23, 2021, this for the

      conclusion of the complainant's reply on July 14, 2021 and this for the conclusion of the reply of

      the defendant on August 4, 2021.


9. After further response from the defendant, it remains unclear whether he has
      does not want to submit defenses, the Disputes Chamber will go to trial on November 22, 2023

      ex officio to set a hearing for which the date will be set

      recorded on December 12, 2023. This invitation to the hearing will be sent both by e-mail and

      sent by email as registered mail.

10. On 27 November 2023, the complainant reports to the Disputes Chamber that he will not participate in

      the hearing, where he indicates that he is satisfied with his presence at the hearing

      is not a requirement as the facts are clear.

11. On December 6, 2023, the Disputes Chamber receives notification that the defendant has a

      counsel has been appointed. The counselor who states that he was recently consulted by the

      defendant, requests the Disputes Chamber to postpone the hearing because it is material

      impossible to prepare for the hearing within the short time frame. In the

      In this context, he also requests a copy of the file. The counselor also leaves that aside

      know that they have advised the defendant to delete the complainant's data
      of the website. The counselor explicitly asks the complainant to take a stand

      decide whether to maintain his file in these circumstances.


12. The request to postpone the hearing will be granted on December 8, 2023 by the

      Disputes Chamber that informs the parties thereof.

13. On December 14, 2023, the Disputes Chamber will notify the parties of the new date

     of hearing set for January 23, 2024 and will be given to the defendant a

     copy of the file (Article 95, § 2, 3° WOG) submitted.

14. On January 12, 2024, the complainant reports to the Disputes Chamber that his data has been deleted

     removed from the defendant's website and the case no further as far as he is concerned

     should be treated. He reports that he is satisfied with the outcome of the file. Decision on the merits 29/2023 - 4/8


15. Also on January 12, 2024, the defendant's counsel responded that pursuant to the

     notification from the complainant that the subject of the dispute is no longer an issue, so that a

     substantive treatment with appearance at the hearing is no longer useful.

16. On January 22, 2024, the Disputes Chamber clarified to the parties that the hearing as

     established on January 23, 2024 and will be maintained. The Disputes Chamber hereby points out that,

     once it has been caught, it will have full independence to comply with the GDPR

     to investigate and monitor its effective application, regardless of the

     withdrawal of the complaint by the complainant or its becoming null and void.

17. The supervision by the Disputes Chamber is not primarily aimed at the settlement of conflicts,

     but is one of the GBA's instruments to monitor compliance with the rules

     on data protection, in accordance with the provisions of the EU Treaties,

     the GDPR and the law of 3 December 2017 establishing the
     Data Protection Authority. If a complaint is filed and then if

     admissible complaint has been transferred to the Disputes Chamber for handling, the

     Dispute Chamber will assess whether the related facts constitute a violation of one of the

     legal provisions with which the GBA must monitor compliance. That control lasts

     also extends to assessing violations that have ended at the time of the

     assessment by the Disputes Chamber.

   18. The hearing will take place on January 23, 2024. The parties that became decent

      called, do not appear. Although the hearing was held by the Litigation Chamber

      recorded in order to still offer the defendant the opportunity to exercise his rights
      defense, the Disputes Chamber can only determine that the absence

      of the defendant means that he has opted not to use this

      to make.


   19. On January 25, 2024, the official report of the hearing will be sent to the
      parties transferred.


   20. Also on 25 January 2024, the Disputes Chamber informed the defendant of its intention

      notified to impose an administrative fine,

      as well as the amount thereof in order to give the defendant the opportunity to present himself
      defense before the sanction is actually imposed. The defendant has the

      opportunity to respond to this intention by February 7, 2024 at the latest.


   21. On February 8, 2024, the Disputes Chamber determined that no response from the defendant
      was received on the intention to impose an administrative fine,

      as well as the amount thereof. Decision on the merits 29/2023 - 5/8


II. Justification


 22. The totality of the facts that occurred in this file shows that the

       defendant has repeatedly been given the opportunity to act in accordance with

       the GDPR, which means that he is required to do so in response to a request under Article 17.1 GDPR

       obliged to fulfill its obligations arising from Articles 12.3 and 12.4

       GDPR. Initially, the defendant received several requests from the complainant for information

       to erase data, but despite the defendant's promise to the complainant

       to remove his data from the website, the situation remained unchanged. Even later

       the order to this effect was issued by the Disputes Chamber through Decision 16/2021 of 9

       February 2021, my consequence remained unfulfilled. So this is also an opportunity for the corrective measure


       to implement the Disputes Chamber and to erase data after all

       missed by the defendant.

 23. After the corrective measure imposed in Decision 16/2021 of February 9

       2021 was manifestly misunderstood by the defendant and despite the order to

       to erase data, nevertheless - and this notwithstanding the fact that he did

       was fully aware of the order as evidenced by the file and receipt of the

       command decision was not denied by him at any time - has persisted in it

       the Disputes Chamber now decides whether to maintain the publication of the complainant's data

       to impose an administrative fine that does not serve to correct an offense made

       violation, but with a view to vigorous enforcement of the rules

       of the GDPR.


    24. As is clear from recital 148 GDPR, the GDPR stipulates that in every

        serious infringement - therefore also in the case of an initial detection of an infringement - penalties, with

        including administrative fines, in addition to or instead of appropriate measures

        are imposed. In the recent Deutsche Wohnen judgment, the Court of Justice of

        the European Union stipulates that an administrative fine may be imposed if:

        it is established that the controller intentionally or negligently committed an act referred to in Article

        83(4) to (6) of the GDPR has committed the infringement in question.







1But the defendant only replied with: “My email address is: [email address]”
2
 Recital 148 states: “In order to ensure stronger enforcement of the rules of this Regulation, penalties,
including administrative fines, to be imposed for any infringement of the Regulation, in addition to or instead of
appropriate measures imposed by the supervisory authorities under this Regulation. If it
concerns a minor infringement or if the expected fine would impose a disproportionate burden on a natural
person, a reprimand can be chosen instead of a fine. However, it must also be taken into account
with the nature, severity and duration of the infringement, with the intentional nature of the infringement, with damage limitation
measures, with the degree of responsibility, or with previous relevant infringements, with the manner in which the infringement occurred
has come to the notice of the supervisory authority, with compliance with the measures taken against the
controller or processor, with compliance with a code of conduct and with all other aggravating or
mitigating factors. The imposition of penalties, including administrative fines, should be subject to
appropriate procedural guarantees in accordance with the general principles of Union law and the Charter, including

an effective remedy and a fair administration of justice. [own underlining]
3Judgment of 5 December 2023, C-807/21, ECLI:EU:C:2023:950. Decision on the merits 29/2023 - 6/8


 25. Below, the Disputes Chamber shows that the infringements that the defendant has committed

       Articles 12.3 and 12.4 GDPR in conjunction with Article 17.1 GDPR, as well as Article 31 GDPR in no way

       minor infringements, nor that the fine would cause a disproportionate burden

       a natural person as referred to in recital 148 GDPR, where in either case

       cases, a fine can be waived. The fact that it is a first determination of

       concerns an infringement of the GDPR committed by the defendant, does not do so in any way

       prejudice to the possibility for the Disputes Chamber to impose an administrative fine
       to lay. The Disputes Chamber imposes the administrative fine in application of

       Article 58.2.i) GDPR. The instrument of administrative fine has no purpose whatsoever

       to end infringements. To this end, the GDPR and the WOG provide a number of corrective measures

       measures, including the orders referred to in Article 100, § 1, 8° and 9° WOG.

                                                                 4
 26. Taking into account Article 83 GDPR and the case law of the Market Court,
       the Disputes Chamber to impose an administrative sanction in concrete terms:


 27. First of all, the nature and seriousness of the infringement is taken into account by the Disputes Chamber

       taken to justify the imposition of this sanction and its amount.

 28. In this regard, the Disputes Chamber determines that the violated provisions are among the

       core of the GDPR, it concerns in particular the rights of data subjects

       Articles 12 to 22 GDPR. Both the complainant's request and the decision 16/2021

       of February 9, 2021 of the Disputes Chamber were aimed at the right to

       erasure of the complainant's data by the defendant. The request of the

       complainant to erase data was addressed several times to the defendant and

       time and again, the defendant, notwithstanding the promise to the complainant to
       to delete data, has not proceeded with its deletion.


 29. Also the subsequent Decision 16/2021 of February 9, 2021 in which the Disputes Chamber

       ordered the defendant to erase data remained without effect.

       Notwithstanding the binding nature of this decision, the defendant

       the repeated requests of the complainant and the order of the Dispute Chamber

       to take appropriate action. The defendant has only recently started erasing data
       after the Disputes Chamber has officially scheduled a hearing in accordance with

       Article 52 of the Rules of Internal Order. Violations of the aforementioned articles

       give rise to the highest fines under Article 83(5) GDPR. The rights of the

       data subject, including the right to erasure as provided for in Article 17.1 GDPR and

       the obligations arising from this for the controller such as

       laid down in Articles 12.3 and 12.4 GDPR, are an essential part of the GDPR,

       such that the defendant's failure to recognize it should be considered serious

       considered. The same also applies to non-compliance with the obligation to cooperate
       as included in Article 31 GDPR because the relevant Decision 16/2021 in which it



4Court of Appeal Brussels (Markten Court section), X t. GBA, Judgment 2020/1471 of February 19, 2020. Decision on the merits 29/2023 — 7/8


     order was imposed to carry out the erasure of data requested by the complainant,

     which was thus taken in application of the fundamental rights of the data subject,

     in this case, Article 17.1 GDPR, was simply ignored by the defendant and

     notwithstanding this decision of the Disputes Chamber, the publication of the relevant
     data of the complainant on the website was maintained.


30. The duration of the infringement is also taken into account. The Disputes Chamber determines

     that the complainant addressed his first request to the defendant on November 18, 2018

     deletion of his personal data on the defendant's website. This request remains
     However, without result, such that the complainant repeats his request on August 13, 2019 and

     again on February 18, 2020.


31. Since the defendant also does not comply with these requests, the complainant must file a complaint

     to the Data Protection Authority in its decision 16/2021 of 9 February 2021
     imposes an order on the defendant to remove the person concerned

     personal data. This time too, there is no consequence. To the subsequent invitations

     of the Disputes Chamber where the parties, and therefore also the defendant, have access to the

     opportunity to submit defenses, there is also no response from the defendant.

     It is only at the time that the Disputes Chamber proceeds with the official recording

     of a hearing that the defendant through his counsel on December 6, 2023 to the
     Disputes Chamber indicates that it will proceed with the final removal of the

     personal data of the complainant on the defendant's website. On January 12, 2024

     the complainant confirms that his data has been removed from the defendant's website.

     Therefore, a considerable time has passed between the complainant's first request on the one hand

     erasure of data and also the order to that effect from the Disputes Chamber, and on the other hand the

     actual deletion of the complainant's data, although the defendant
     had knowledge of this request from the complainant and the order of

     the Disputes Chamber.


32. In addition, the manner in which the defendant has acted is also taken into account
     responded, in particular has completely failed to act in accordance

     with the GDPR, both at the complainant's repeated request to proceed

     data erasure, as per Decision 16/2021 of February 9, 2021 taken by the

     Dispute Chamber, namely by completely ignoring it and in spite of it

     maintain the publication of the complainant's personal data making it online

     have remained accessible to everyone, indicate a failure to recognize the importance of the

     legislation on personal data protection, in particular the rights of the
     person concerned, where the Disputes Chamber deems an administrative financial sanction necessary.


33. The whole of the elements set out above justifies an effective,

     proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account
     the assessment criteria determined therein. The Dispute Chamber points out that the other

     criteria of Article 83.2 GDPR in this case are not of the nature that they lead to a different decision on the merits 29/2023 - 8/8



       administrative fine than that imposed by the Disputes Chamber in the context of this

       decision has been made.



III. Publication of the decision


 34. Considering the importance of transparency with regard to decision-making
       Dispute Chamber, this decision will be published on the website of the

       Data Protection Authority. However, it is not necessary that the

       identification details of the parties are disclosed directly.






    FOR THESE REASONS   ,

    the Disputes Chamber of the Data Protection Authority, after deliberation, decides

    on the basis of Article 100, §1, 13° and Article 101 WOG, an administrative fine of €

    2,000 as a result of the infringement of Articles 12.3 and 12.4 GDPR in conjunction

    Article 17.1 GDPR, as well as Article 31 GDPR.







Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice, an appeal against this decision will be filed with the Market Court (court of

appeal Brussels), with the Data Protection Authority as defendant.

Such an appeal can be lodged by means of an inter partes petition

must contain statements listed in Article 1034ter of the Judicial Code. It

an objection petition must be submitted to the registry of the Market Court

in accordance with Article 1034quinquies of the Dutch Civil Code. , 6 or via e-Deposit

IT system of Justice (Article 32ter of the Judicial Code).






        (translated) Hielke HMANS

        Chairman of the Disputes Chamber




5The petition states, under penalty of nullity:
 1° the day, month and year;

 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
    summoned;
 4° the subject matter and brief summary of the grounds of the claim;
 5° the judge before whom the claim is brought;
 6° the signature of the applicant or his lawyer.
6The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.