APD/GBA (Belgium) - 29/2024
APD/GBA - 29/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 17(1) GDPR Article 31 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.02.2024 |
Published: | |
Fine: | 2,000 EUR |
Parties: | n/a |
National Case Number/Name: | 29/2024 |
European Case Law Identifier: | n/a |
Appeal: | Pending appeal |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | nzm |
A data subject lodged a complaint with the Belgian DPA after a controller failed to respond to his erasure request several times. When the controller finally removed the data subject’s data, the DPA considered that they should still assess whether there was a data breach or not.
English Summary
Facts
On March 2020, a data subject filed a complaint with the Belgian DPA (“APD”) concerning the online publication of his name, address and photograph on the controller’s website. This personal data was obtained during an on-site visit to the data subject’s home following an energy renovation. The data subject requested several times that the personal data concerning him be deleted and the controller indicated that they would comply, but the situation remained unchanged.
On 12 March 2020, the APD started a sanctioning procedure against the controller. On 15 February 2021, the APD ordered the controller to comply with the data subject’s request within a period of 14 days from the notification of the decision. The controller did not comply with the request. The APD therefore decided that the case was ready for a hearing and notified them of the time limits for submitting their defences under Belgian Law. The data subject indicated that they did not receive the conclusions of the controller and that the data was still available on their website. The APD asked the controller to indicated whether or not they wanted to conclude for which they granted an additional period of one week. The controller responded by stating that they wished to communicate via a different e-mail address, without indicating whether or not they wanted to conclude.
On 12 May 2021, the DPA adopted a new schedule of submissions which was sent to the new e-mail address, as per requested by the controller who failed to respond once again. The APD fixed a hearing date and the controller notified the DPA that they would not participate in the hearing because they considered that their presence was not a requirement as the facts were clear. On 6 December 2023, the DPA received a notification that the controller appointed a counsel and requested that the hearing be postponed as it was materially impossible to prepare for the hearing in such a short time frame. The APD granted the postponement and set a new hearing date for January 2024.
On 12 January 2024, the data subject indicated that his details were removed from the website and that the case should not be pursued. The controller therefore responded that pursuant to the data subject’s notice, the matter of the dispute was no longer meaningful.
Holding
Firstly, the DPA indicated to the parties that the hearing date would be maintained, considering that once the matter has been referred to a DPA, it is empowered to investigate in full independence the compliance with the GDPR, regardless of the withdrawal of the complaint by the data subject. The APD therefore considered that once a complaint is considered admissible by the APD, they must assess whether the related facts constitute a breach of GDPR.
Secondly, the APD considered that the controller was repeatedly given the opportunity to comply with Articles 12(3) and 12(4) GDPR because they received several requests from the data subject and an order by the APD but the situation remained unchanged. The APD considered that the corrective measure imposed by the previous decision was manifestly disregarded by the controller. The APD took several elements into account.
Regarding the seriousness of the breach, the APD indicated that the controller breached Articles 12(3), 12(4), 17(1) GDPR by failing to respond to the data subject’s request. The DPA added that the controller failed to comply with the duty to cooperate under Article 31 GDPR.
Regarding the duration of the breach, the DPA noted that the data subject filed its first request for erasure on 18 November 2018 and repeated it two times, but was left with no response until 12 January 2024.
Regarding the manner in which the controller reacted, the APD took into account the fact that the controller completely ignored the decision taken and maintained the data subject’s personal data online.
The APD concluded that these elements justified an effective, proportionate and dissuasive sanction under Article 83 GDPR and therefore imposed a €2,000 fine for breaching Articles 12(3) and 12(4) in conjunction with Article 17(1) GDPR, as well as Article 31 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8 Dispute Chamber Decision 29/2024 of February 9, 2024 File number: DOS-2020-01312 Subject: Exercise of the right to erasure of data with regard to publication of name, address and photo on website The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, chairman, and Messrs. Dirk Van Der Kelen and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: Mr. The defendant: Mr. Y, [address], [national register number], represented by Mr. Christian Lemache, hereinafter “the defendant” Decision on the merits 29/2023 - 2/8 I. Facts and procedure 1. On March 10, 2020, the complainant submits a complaint to the Data Protection Authority against defendant. 2. The subject of the complaint concerns the online publication of the name, address and photo of the complainant on the defendant's website. The defendant has the relevant personal data of the complainant obtained in the context of an on-site visit at the complainant at home following an energetic renovation subsidized by the province. The defendant, in his capacity as a politician, proceeded to publish the complainant's details on his personal website. The complainant turned away several times to the defendant with the request to delete the personal data concerning him. Although the defendant indicates that he will comply with the complainant's request, the situation unchanged and the relevant details of the complainant are still available online consult the defendant's website. 3. On March 12, 2020, the complaint will be declared admissible by the First Line Service on on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG transferred to the Disputes Chamber. 4. On February 15, 2021, the Disputes Chamber will notify the parties of Decision 16/2021 of February 9, 2021 in which the Disputes Chamber pursuant to Article 58.2, c) GDPR and Article 95, §1, 5° WOG orders the defendant to comply with the request of the data subject to exercise his rights, in particular the right to erasure of data (Article 17.1 GDPR), and to erase the complainant's personal data, and this within a period of 14 days from the notification of the aforementioned Decision 16/2021. 5. In the absence of any response to Decision 16/2021 by the defendant, the Disputes Chamber on March 10, 2021 on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for treatment on the merits and the parties involved will be notified by email notified by registered mail of the provisions referred to in Article 95, § 2, as well as those in Article 98 WOG. They are also registered on the basis of Article 99 of the WOG informed of the deadlines for submitting their defenses. The deadline for receipt of the defendant's statement of defense was recorded on April 21, 2021, this for the conclusion of the complainant's reply on 12 May 2021 and this for the defendant's response on June 2, 2021. 6. On May 5, 2021, the complainant indicated that he had not received any conclusions due to the defendant and, failing that, does not have the opportunity to rely on it replicate, but his data is still online on the website defendant. Decision on the merits 29/2023 - 3/8 7. On May 6, 2021, the Disputes Chamber will request the defendant to know indicate whether or not he wishes to conclude for which, if necessary, he will receive an additional one term of one week is granted. On the same date, the defendant only responds with the message that he wishes to communicate via another email address without any indication whether he will still conclude. 8. In the absence of any response from the defendant, the Disputes Chamber will set a date of May 12 2021, a new claim calendar will be established, which will be delivered to the defendant on the email address requested by him. The deadline for receipt of the conclusion of the defendant's response was recorded on June 23, 2021, this for the conclusion of the complainant's reply on July 14, 2021 and this for the conclusion of the reply of the defendant on August 4, 2021. 9. After further response from the defendant, it remains unclear whether he has does not want to submit defenses, the Disputes Chamber will go to trial on November 22, 2023 ex officio to set a hearing for which the date will be set recorded on December 12, 2023. This invitation to the hearing will be sent both by e-mail and sent by email as registered mail. 10. On 27 November 2023, the complainant reports to the Disputes Chamber that he will not participate in the hearing, where he indicates that he is satisfied with his presence at the hearing is not a requirement as the facts are clear. 11. On December 6, 2023, the Disputes Chamber receives notification that the defendant has a counsel has been appointed. The counselor who states that he was recently consulted by the defendant, requests the Disputes Chamber to postpone the hearing because it is material impossible to prepare for the hearing within the short time frame. In the In this context, he also requests a copy of the file. The counselor also leaves that aside know that they have advised the defendant to delete the complainant's data of the website. The counselor explicitly asks the complainant to take a stand decide whether to maintain his file in these circumstances. 12. The request to postpone the hearing will be granted on December 8, 2023 by the Disputes Chamber that informs the parties thereof. 13. On December 14, 2023, the Disputes Chamber will notify the parties of the new date of hearing set for January 23, 2024 and will be given to the defendant a copy of the file (Article 95, § 2, 3° WOG) submitted. 14. On January 12, 2024, the complainant reports to the Disputes Chamber that his data has been deleted removed from the defendant's website and the case no further as far as he is concerned should be treated. He reports that he is satisfied with the outcome of the file. Decision on the merits 29/2023 - 4/8 15. Also on January 12, 2024, the defendant's counsel responded that pursuant to the notification from the complainant that the subject of the dispute is no longer an issue, so that a substantive treatment with appearance at the hearing is no longer useful. 16. On January 22, 2024, the Disputes Chamber clarified to the parties that the hearing as established on January 23, 2024 and will be maintained. The Disputes Chamber hereby points out that, once it has been caught, it will have full independence to comply with the GDPR to investigate and monitor its effective application, regardless of the withdrawal of the complaint by the complainant or its becoming null and void. 17. The supervision by the Disputes Chamber is not primarily aimed at the settlement of conflicts, but is one of the GBA's instruments to monitor compliance with the rules on data protection, in accordance with the provisions of the EU Treaties, the GDPR and the law of 3 December 2017 establishing the Data Protection Authority. If a complaint is filed and then if admissible complaint has been transferred to the Disputes Chamber for handling, the Dispute Chamber will assess whether the related facts constitute a violation of one of the legal provisions with which the GBA must monitor compliance. That control lasts also extends to assessing violations that have ended at the time of the assessment by the Disputes Chamber. 18. The hearing will take place on January 23, 2024. The parties that became decent called, do not appear. Although the hearing was held by the Litigation Chamber recorded in order to still offer the defendant the opportunity to exercise his rights defense, the Disputes Chamber can only determine that the absence of the defendant means that he has opted not to use this to make. 19. On January 25, 2024, the official report of the hearing will be sent to the parties transferred. 20. Also on 25 January 2024, the Disputes Chamber informed the defendant of its intention notified to impose an administrative fine, as well as the amount thereof in order to give the defendant the opportunity to present himself defense before the sanction is actually imposed. The defendant has the opportunity to respond to this intention by February 7, 2024 at the latest. 21. On February 8, 2024, the Disputes Chamber determined that no response from the defendant was received on the intention to impose an administrative fine, as well as the amount thereof. Decision on the merits 29/2023 - 5/8 II. Justification 22. The totality of the facts that occurred in this file shows that the defendant has repeatedly been given the opportunity to act in accordance with the GDPR, which means that he is required to do so in response to a request under Article 17.1 GDPR obliged to fulfill its obligations arising from Articles 12.3 and 12.4 GDPR. Initially, the defendant received several requests from the complainant for information to erase data, but despite the defendant's promise to the complainant to remove his data from the website, the situation remained unchanged. Even later the order to this effect was issued by the Disputes Chamber through Decision 16/2021 of 9 February 2021, my consequence remained unfulfilled. So this is also an opportunity for the corrective measure to implement the Disputes Chamber and to erase data after all missed by the defendant. 23. After the corrective measure imposed in Decision 16/2021 of February 9 2021 was manifestly misunderstood by the defendant and despite the order to to erase data, nevertheless - and this notwithstanding the fact that he did was fully aware of the order as evidenced by the file and receipt of the command decision was not denied by him at any time - has persisted in it the Disputes Chamber now decides whether to maintain the publication of the complainant's data to impose an administrative fine that does not serve to correct an offense made violation, but with a view to vigorous enforcement of the rules of the GDPR. 24. As is clear from recital 148 GDPR, the GDPR stipulates that in every serious infringement - therefore also in the case of an initial detection of an infringement - penalties, with including administrative fines, in addition to or instead of appropriate measures are imposed. In the recent Deutsche Wohnen judgment, the Court of Justice of the European Union stipulates that an administrative fine may be imposed if: it is established that the controller intentionally or negligently committed an act referred to in Article 83(4) to (6) of the GDPR has committed the infringement in question. 1But the defendant only replied with: “My email address is: [email address]” 2 Recital 148 states: “In order to ensure stronger enforcement of the rules of this Regulation, penalties, including administrative fines, to be imposed for any infringement of the Regulation, in addition to or instead of appropriate measures imposed by the supervisory authorities under this Regulation. If it concerns a minor infringement or if the expected fine would impose a disproportionate burden on a natural person, a reprimand can be chosen instead of a fine. However, it must also be taken into account with the nature, severity and duration of the infringement, with the intentional nature of the infringement, with damage limitation measures, with the degree of responsibility, or with previous relevant infringements, with the manner in which the infringement occurred has come to the notice of the supervisory authority, with compliance with the measures taken against the controller or processor, with compliance with a code of conduct and with all other aggravating or mitigating factors. The imposition of penalties, including administrative fines, should be subject to appropriate procedural guarantees in accordance with the general principles of Union law and the Charter, including an effective remedy and a fair administration of justice. [own underlining] 3Judgment of 5 December 2023, C-807/21, ECLI:EU:C:2023:950. Decision on the merits 29/2023 - 6/8 25. Below, the Disputes Chamber shows that the infringements that the defendant has committed Articles 12.3 and 12.4 GDPR in conjunction with Article 17.1 GDPR, as well as Article 31 GDPR in no way minor infringements, nor that the fine would cause a disproportionate burden a natural person as referred to in recital 148 GDPR, where in either case cases, a fine can be waived. The fact that it is a first determination of concerns an infringement of the GDPR committed by the defendant, does not do so in any way prejudice to the possibility for the Disputes Chamber to impose an administrative fine to lay. The Disputes Chamber imposes the administrative fine in application of Article 58.2.i) GDPR. The instrument of administrative fine has no purpose whatsoever to end infringements. To this end, the GDPR and the WOG provide a number of corrective measures measures, including the orders referred to in Article 100, § 1, 8° and 9° WOG. 4 26. Taking into account Article 83 GDPR and the case law of the Market Court, the Disputes Chamber to impose an administrative sanction in concrete terms: 27. First of all, the nature and seriousness of the infringement is taken into account by the Disputes Chamber taken to justify the imposition of this sanction and its amount. 28. In this regard, the Disputes Chamber determines that the violated provisions are among the core of the GDPR, it concerns in particular the rights of data subjects Articles 12 to 22 GDPR. Both the complainant's request and the decision 16/2021 of February 9, 2021 of the Disputes Chamber were aimed at the right to erasure of the complainant's data by the defendant. The request of the complainant to erase data was addressed several times to the defendant and time and again, the defendant, notwithstanding the promise to the complainant to to delete data, has not proceeded with its deletion. 29. Also the subsequent Decision 16/2021 of February 9, 2021 in which the Disputes Chamber ordered the defendant to erase data remained without effect. Notwithstanding the binding nature of this decision, the defendant the repeated requests of the complainant and the order of the Dispute Chamber to take appropriate action. The defendant has only recently started erasing data after the Disputes Chamber has officially scheduled a hearing in accordance with Article 52 of the Rules of Internal Order. Violations of the aforementioned articles give rise to the highest fines under Article 83(5) GDPR. The rights of the data subject, including the right to erasure as provided for in Article 17.1 GDPR and the obligations arising from this for the controller such as laid down in Articles 12.3 and 12.4 GDPR, are an essential part of the GDPR, such that the defendant's failure to recognize it should be considered serious considered. The same also applies to non-compliance with the obligation to cooperate as included in Article 31 GDPR because the relevant Decision 16/2021 in which it 4Court of Appeal Brussels (Markten Court section), X t. GBA, Judgment 2020/1471 of February 19, 2020. Decision on the merits 29/2023 — 7/8 order was imposed to carry out the erasure of data requested by the complainant, which was thus taken in application of the fundamental rights of the data subject, in this case, Article 17.1 GDPR, was simply ignored by the defendant and notwithstanding this decision of the Disputes Chamber, the publication of the relevant data of the complainant on the website was maintained. 30. The duration of the infringement is also taken into account. The Disputes Chamber determines that the complainant addressed his first request to the defendant on November 18, 2018 deletion of his personal data on the defendant's website. This request remains However, without result, such that the complainant repeats his request on August 13, 2019 and again on February 18, 2020. 31. Since the defendant also does not comply with these requests, the complainant must file a complaint to the Data Protection Authority in its decision 16/2021 of 9 February 2021 imposes an order on the defendant to remove the person concerned personal data. This time too, there is no consequence. To the subsequent invitations of the Disputes Chamber where the parties, and therefore also the defendant, have access to the opportunity to submit defenses, there is also no response from the defendant. It is only at the time that the Disputes Chamber proceeds with the official recording of a hearing that the defendant through his counsel on December 6, 2023 to the Disputes Chamber indicates that it will proceed with the final removal of the personal data of the complainant on the defendant's website. On January 12, 2024 the complainant confirms that his data has been removed from the defendant's website. Therefore, a considerable time has passed between the complainant's first request on the one hand erasure of data and also the order to that effect from the Disputes Chamber, and on the other hand the actual deletion of the complainant's data, although the defendant had knowledge of this request from the complainant and the order of the Disputes Chamber. 32. In addition, the manner in which the defendant has acted is also taken into account responded, in particular has completely failed to act in accordance with the GDPR, both at the complainant's repeated request to proceed data erasure, as per Decision 16/2021 of February 9, 2021 taken by the Dispute Chamber, namely by completely ignoring it and in spite of it maintain the publication of the complainant's personal data making it online have remained accessible to everyone, indicate a failure to recognize the importance of the legislation on personal data protection, in particular the rights of the person concerned, where the Disputes Chamber deems an administrative financial sanction necessary. 33. The whole of the elements set out above justifies an effective, proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account the assessment criteria determined therein. The Dispute Chamber points out that the other criteria of Article 83.2 GDPR in this case are not of the nature that they lead to a different decision on the merits 29/2023 - 8/8 administrative fine than that imposed by the Disputes Chamber in the context of this decision has been made. III. Publication of the decision 34. Considering the importance of transparency with regard to decision-making Dispute Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary that the identification details of the parties are disclosed directly. FOR THESE REASONS , the Disputes Chamber of the Data Protection Authority, after deliberation, decides on the basis of Article 100, §1, 13° and Article 101 WOG, an administrative fine of € 2,000 as a result of the infringement of Articles 12.3 and 12.4 GDPR in conjunction Article 17.1 GDPR, as well as Article 31 GDPR. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice, an appeal against this decision will be filed with the Market Court (court of appeal Brussels), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition must contain statements listed in Article 1034ter of the Judicial Code. It an objection petition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Dutch Civil Code. , 6 or via e-Deposit IT system of Justice (Article 32ter of the Judicial Code). (translated) Hielke HMANS Chairman of the Disputes Chamber 5The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 6The petition with its attachment will be sent by registered letter in as many copies as there are parties involved deposited with the clerk of the court or at the registry.