APD/GBA (Belgium) - 63/2024
From GDPRhub
| APD/GBA - 63/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(7) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15(1) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 25.04.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 63/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | nzm |
The DPA found that the administrator of a software platform allowing people to book doctor's appointments was a processor as it did not determine the purposes of the processing, and did therefore not have to respond to an access request. The purposes were determined by the health care institutions.
English Summary
Facts
A data subject exercised their right of access with the administrator of the software platform for an app and website (‘administrator’). This app and website allowed patients to browse medical practices, identify themselves, choose the doctor with whom they want the appointment, choose the desired time slot and confirm the appointment.
The administrator of the platform indicated that they were merely acting as a processor and processing personal data on behalf of the health providers. It also provided the data subject with a list of doctors with whom the data subject is in the database.
The data subject considered this response insufficient and claimed that the administrator was indeed responsible for the processing. They therefore lodged a complaint with the Belgian DPA ('GBA').
Holding
Firstly, regarding controllership, the GBA indicated that the GDPR defines a 'controller' as the person who determines the purposes and means of the processing of personal data. The DPA added that the CJEU held that the concept of ‘controller’ should be interpreted broadly (CJEU, 10 July 2018, Jehovan todistajat, C-25/17).
Additionally, the EDPB Guidelines on the concepts of controller and processor in the GDPR indicate that the controller is not necessarily someone who actually has access to the data being processed. For example, someone who outsources a processing activity and has a determinative influence on the purpose and essential means of the processing is to be regarded as a controller (§45 of the EDPB Guidelines).
In the present case, the GBA found that the purpose of the app and website was to have an online scheduling system, exchange data with other apps and make fully automated appointments. Therefore, the purpose was determined autonomously by the healthcare provider. The administrator simply provided an online calendar system to achieve this purpose. Therefore, the healthcare providers were considered controllers.
The GBA then noted that to be considered a processor within the meaning of the GDPR, two central conditions must be met: (i) it must be a natural or legal person and (ii) it must process personal data on behalf of the controller.
Regarding the first condition, the GBA held that the healthcare providers decided to outsource the activity consisting of online registration of patient appointments to the administrator of the platform which is an external organisation, separate from the healthcare providers practice. Therefore, the administrator had a legal personality.
Regarding the second condition, the GBA noted that the processing agreements showed that the processing activity was carried out exclusively according to the written instructions of the healthcare providers. They also expressly provided that the administrator would not process personal data for any purpose other those specified by the healthcare provider. The privacy policy also specified that the administrator was only responsible for the technical functioning of the platform, while the healthcare providers were responsible for determining the purpose and content of the processing operations.
Therefore, the GBA held that the administrator was in fact a processor.
Secondly, regarding the right of access, the GBA pointed out that the rights available to the data subject must be exercised vis-à-vis the controller. It indicated that no provision of the GDPR provides a basis for the data subject to exercise their right of access directly with the processor.
In the present case, the processor repeatedly attempted to provide information to the data subject explaining that their access request should be addressed to each healthcare provider. The DPA also noted that the administrator even informed them of the databases of healthcare providers in which they could be found, which was a good practice and facilitated the exercise of the data subject's rights.
Therefore, the GBA concluded that there was no violation of Article 4(7) GDPR, read in conjunction with Articles 12(3), 12(4) and 15(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/11
Dispute Chamber
Decision on the merits63/2024 of April 25, 2024
File number: DOS-2022-01907
Subject: Exercise of the right of access
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: Mrs.
The defendant: Y, hereinafter “the defendant” Decision on the merits 63/2024 — 2/11
I. Facts and procedure
1. On February 4, 2023, the complainant submits a complaint to the Data Protection Authority
against defendant.
2. The subject of the complaint concerns the complainant's exercise of the right of access,
in which it addresses its request to the defendant, being the administrator of the software
platform for an online agenda system. The complainant's request was not acted upon
given by the defendant. In the context of the subsequent mediation that
took place at the level of the First Line Service, the defendant responded and
indicated to act in the capacity of processor and only the personal data
to be processed on behalf of customers who use the software platform
the defendant. The defendant provided the complainant with an overview of the customers
where the complainant is located in the database, so that the complainant can access the information he or she wishes
can address the defendant's customers with a request for access. According to the complainant this is
response from the defendant is inadequate, as it states that the defendant
is responsible for the personal data processed via the platform and
would thus have acted in violation of article 4.7) GDPR, articles 12.3 and 12.4 GDPR in conjunction
Article 15.1 GDPR.
3. On February 16, 2023, the complaint will be declared admissible by the First Line Service on
on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber.
4. On July 31, 2023, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98WOG
that the file is ready for treatment on the merits and the parties involved will be notified by email
notified by registered mail of the provisions stated in Article 95, § 2,
as well as of this in article 98WOG. They are also informed on the basis of article 99WOG
of the time limits for submitting their defenses.
The deadline for receipt of the defendant's statement of defense was
recorded on September 22, 2023, for the complainant's response
on October 13, 2023 and this for the conclusion of the defendant's reply on November 3
2023.
5. On July 31, 2023, the defendant requests a copy of the file (Article 95, § 2, 3° WOG),
which was transferred to him on August 8, 2023.
6. On September 22, 2023, the Disputes Chamber will receive the response statement
the defendant who essentially claims to carry out the data processing on behalf of the defendant
of the controllers on the defendant's SaaS offering
1
Software as a Service Decision on the merits 63/2024 — 3/11
entered into force and as a result of which the defendant intends to act as processor. The defendant
explains that his role as a processor entails that he has no obligation
to comply with Articles 12.3 and 12.4 GDPR and Article 15.1 GDPR. Insubordinate order
the defendant indicated that the complainant was requested to provide additional information
with a view to correct verification of her personal data in order to provide an appropriate response
can give to the controller, being a healthcare provider,
in accordance with the agreed obligations under the processing agreement, but that
cooperation from the complainant to provide this information has not been forthcoming. The
Defendant subsequently provided transparent and understandable information several times
was provided to the complainant in relation to the access request.
7. On September 6, 2023, the parties will be notified that the Disputes Chamber
proceeds ex officio to set a hearing for which the date is set
recorded on November 23, 2023.
8. On October 13, 2023, the Disputes Chamber will receive a letter from the complainant stating:
reported that not all documents in the file could be consulted electronically and
that in the absence of all information it was not possible to submit a reply statement
within the established conclusion period. The Disputes Chamber will then make the requested decision
documents to the complainant by post.
9. On October 26, 2023, the hearing date will be postponed to December 14, 2023,
whereby a (new) deadline for receipt of the response statement
complainant was committed on November 8, 2023 as well as for the conclusion of the reply of the
defendant on November 29, 2023.
10. Notwithstanding the extension of the conclusion periods, no new conclusions will be issued
submitted to the Disputes Chamber.
11. On December 14, 2023, the defendant will be heard by the Disputes Chamber. The complainer
who was duly summoned, reports by letter received by the Disputes Chamber on 13
will not be published until December 2024.
12. The minutes of the hearing will be sent to the parties on December 21, 2023
submitted.
13. On December 22, 2023, the Disputes Chamber will receive a single letter from the defendant
comment regarding the official report, which she decides to include
her deliberation. Decision on the merits 63/2024 - 4/11
II. Justification
a) Capacity of the defendant
14. In order to fulfill the obligations that the defendant must comply with in accordance with the
GDPR, it must be determined in advance in which capacity the
defendant acts with regard to the data processing that is the subject
of the complaint. It is crucial that it is investigated whether the defendant acts as
2 3
controller (Article 4.7) GDPR) or as processor (Article 4.8) GDPR).
15. The defendant argues that it merely acts as a processor, not as a processor
controller. The Disputes Chamber examines whether the principle that the
defendant should only be regarded as a processor in accordance with the
4
(broad) interpretation of the concept of controller by the Court of Justice
and the European Data Protection Board (EDPB), in particular in the Guidelines 07/2020
about the concept of controller.
16. The GDPR defines a “data controller” as the entity that, alone or jointly
with others, the purposes and means of processing the personal data
determines . This definition must be understood in the light of the objective of the
legislator to assume primary responsibility for the protection of personal data
to the entity that actually exercises control over the data processing.
This means that not only the legal qualification must be taken into account,
but also with the actual reality. 6
17. The EDPB has clarified that the concept of controller is based
is on the influence of the controller on the processing, on the basis of a
decision-making power or control over processing activities. Such control is possible
2Article 4 GDPR;
For the purposes of this Regulation the following definitions apply:
[…]
(7) 'controller' means a natural or legal person, public authority, agency or other
body that, alone or jointly with others, determines the purposes and means of the processing of personal data
establishes; when the purposes and means of this processing become established in Union or Member State law
established, it can be determined who the controller is or according to what criteria he or she will become the controller
designated;
3
Article 4 GDPR;
For the purposes of this Regulation the following definitions apply:
[…]
(8) 'processor' means a natural or legal person, public authority, agency or other body
processes personal data on behalf of the controller;
4See, among others, CJEU, Judgment of 10 July 2018, Jehovan todistajat, C-25/17, ECLI:EU:C:2018:551, pt 66, and most recently judgment of
March 7, 2024, IAB Europe, C-604/22, ECLI:EU:C:2024:214, pt 55.
5Art. 4.7) GDPR
6
L. A. YGRAVE & L. OSONI, “Article 4(7). Controller” in The EU General Data Protection Regulation. A Commentary, Oxford
University Press, 2020, p. 148. Decision on the merits 63/2024 – 5/11
arise from legal provisions, arise from an implied authority or
are based on the exercise of actual influence. Essentially it comes down to determining the
purposes and means correspond to determining the why and the, respectively
how of the processing: for a specific processing activity the
controller is the person who exerts influence on the processing of
personal data and therefore determines why the processing takes place (i.e. for what purpose
or for what) and how that goal will be achieved (i.e. what means will be used
used to achieve the goal). 8
18. The power to determine the means and purposes of processing activities,
9
can first of all be linked to the functional role of an organization. The
responsibility are assigned based on the contractual provisions between
the parties involved, although these are not always decisive, or on the basis of a
assessment of a party's actual control. This way, the recording of the
means and purposes result from a decisive influence over the processing, more
determined as to the reason why processing takes place in a certain manner. 11
19. In its Jehovah's Witnesses judgment, the Court of Justice gives a broad interpretation to the concept
controller. This judgment emphasizes that the definition of
controller must be interpreted broadly in order to ensure an “effective and
full protection of data subjects', as well as that there is no access
until the personal data concerned is required to act as a controller
14
to qualify.
20. The determining elements to determine whether the data processing takes place in the
capacity as controller or as processor are the purposes
and the means, more specifically the extent to which decision-making power is available
is present.
21. In concrete terms, in this case the data processing was carried out by the defendant
is carried out using a software application based on web technology
7EDPB – Guidelines 07/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 20 ff.
8Ibidem, para. 35.
9D. De Bot, The application of the General Data Protection Regulation in the Belgian context, Wolters Kluwer,
2020, para. 362.
10
D. De Bot, The application of the General Data Protection Regulation in the Belgian context, Wolters Kluwer,
2020, para. 363-365.
1EDPB – Guidelines 7/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 20.
12CJEU Judgment of 10 July 2018, Jehovan todistajat, C-25/17, ECLI:EU:C:2018:551.
13
CJEU Judgment of 13 May 2014, Google Spain and Google and Others, C-131/12, ECLI: EU:C:2014:317, para. 34; see also the discussion
regarding the scope of the concept in C. DOCKSEY and H. HIJMANS, “The Court of Justice as a Key Player in Privacy and Data
Protection”, European Data Protection Law Review, 2019, ep. 3, (300)304.
14CJEU Judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat - uskonnollinen yhdyskunta, C-25/17,
ECLI:EU:C:2018:551. See also EDPB - Guidelines 07/2020 on the concepts of controller and processor in
the GDPR, v2.0, 2021, para. 45. Decision on the merits 63/2024 - 6/11
based appointment system. In order to reduce the impact of the defendant on the purpose
and to be able to assess the resources, insight must first be gained into the
operation of this application. This goes as follows:
a. The patient surfs to the medical practice's website or uses the app;
b. The patient identifies himself in the online agenda system. The user of the
application, in this case the healthcare provider, chooses how the patient can register,
namely via 1) username and password; 2) name, first name and date of birth;
3) e-ID, 4) national register number or 5) social media account;
c. The patient chooses the doctor with whom he/she wants an appointment;
d. The patient may choose an appointment category;
e. The patient chooses the desired time slot;
f. The patient optionally fills in additional comments;
g. The patient confirms his/her appointment.
22. The defendant then checks whether the relevant personal data of the
the patient involved is present in the healthcare provider's database. If this is the case
is, thank the patient to make an appointment. If this is not the case, thank the patient
either register manually or be denied access if the
healthcare provider does not wish to accept new patients.
23. Based on the elements present in this file, the Disputes Chamber determines that
the intended purpose is to have an online agenda system that
makes it possible to make appointments and receive appointment reminders, data
to exchange with other applications and to make fully automatic appointments per
telephone. This purpose arises from the need for the healthcare provider to
to be able to register appointments with patients in an efficient and efficient manner. This means
that the purpose is determined completely autonomously by the healthcare provider and the online
the defendant's agenda is merely a means to achieve this end.
It is certain that only healthcare providers who are of the opinion that the
defendant offered an application with the options offered by the online agenda system
offers to register appointments with patients, also meets their specific needs
will actually appeal to the defendant and proceed to conclude
an agreement with the defendant. The healthcare provider does not decide on this alone
purpose, but decides entirely on his own about which means he believes are the most adequate
to achieve the goal he pursues. In addition, the defendant has a
purely intermediary role in the sense that it only controls the distinct functionalities of the
proposes and offers an application. However, it is only the healthcare provider who, in function, decides on the merits 63/2024 - 7/11
of the purpose it pursues, the functionalities that the application chooses
if it offers application possibilities, he wishes to use it. Since both it
purpose if the means to this end is determined exclusively by the healthcare provider, must be indicated
they are therefore assigned the status of controller.
24. The defendant, on the other hand, meets the two central conditions for being a processor
within the meaning of Article 4. 8) GDPR, namely:
a) it is a separate legal entity from the controller, i.e. the
healthcare provider, state and
b) it processes the personal data on behalf of the controller.
25. The healthcare providers, often a practice of healthcare providers, decide on the activity
consisting of the online registration of appointments with patients to be outsourced to the
defendant who is an external organization completely separate from the practice for which the
healthcare providers. The defendant also has the required legal personality,
as it has taken the form of a private limited company.
26. The processing agreements that the defendant has provided show that the
processing activity is carried out under strict obligation for the defendant to
to carry them out in accordance with and only in accordance with the written instructions
of the care provider. The Disputes Chamber notes that there is no room for this
the defendant to use the personal data obtained for any other purpose
processing purpose. It also expressly stipulates that the defendant
will not process personal data for any purpose other than as stated by the
care provider has been determined and in that sense the requirement is therefore also met
Article 28.10 GDPR to be considered a processor. One's own purpose
After all, the data obtained is completely absent on behalf of the defendant
data is only processed for the benefit of the healthcare provider. This is also emphasized in
the privacy statement 16 provided by the defendant. This is explicit
stated that the defendant is only responsible for the technical functioning of the
platform, where healthcare providers are responsible for determining the purpose and
content of the data processing.
15
EDPB – Guidelines 07/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 73 – 84.
16Privacy Statement Y point 3.1. under title 3. Who processes the personal data:
“With regard to the Indirect Users of the Platform, the Direct User himself will have the capacity
acquire from controller. The Direct User understands that Y in this context only as a processor
who is responsible for the proper functioning of the Platform.”
In the privacy statement, title 1 Definitions indicates what interpretation should be given to “Direct
User” and “Indirect User”, which respectively is referred to healthcare providers and patients. This will be
reaffirmed in the defendant's conclusion. Decision on the merits 63/2024 - 8/11
27. The capacity of the defendant as a processor is also confirmed by the fact that the concrete
processing activity of the defendant as a service provider who processes the personal data of
the patient processes in his relationship with the healthcare provider in order to be able to proceed with the
registration of an appointment between patient and healthcare provider takes place on behalf of
the healthcare provider who has absolute control over data processing. The
The nature of the service is decisive in the sense that in order to become a processor
the service must be specifically aimed at the processing of
personal data or the processing must constitute an essential aspect of that service.
The software application offered by the defendant is essentially aimed at the
processing personal data of patients as provided by the healthcare provider
and which are necessary to be able to proceed with the registration of only
agreements with the relevant healthcare provider without the defendant having to do so
offers file management of health data and without the defendant even
has any influence on the determination of the purposes and means of the processing.
28. Since the Disputes Chamber is of the opinion that it is established that the defendant is acting
as a processor, this has consequences for the data protection obligations that
arise from this. Below, the Disputes Chamber will discuss this from this perspective
defendant has the capacity of processor, the exercise of the right of access
that is the subject of the complaint.
b) Right of access
17
29. The right of access as included in Article 15.1 GDPR stipulates that the data subject has the
has the right to obtain confirmation from the controller as to whether
17
1.The data subject has the right to obtain confirmation from the controller as to whether or not
process personal data concerning him and, where that is the case, to obtain access to them
personal data and the following information:
a) the purposes of processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular
recipients in third countries or international organizations;
d) where possible, the period for which the personal data is expected to be stored, or if
that is not possible, the criteria for determining that period;
e) that the data subject has the right to request that personal data be deleted from the controller
rectified or deleted, or that the processing of personal data concerning him is restricted, as well as the right
to object to that processing;
f) that the data subject has the right to lodge a complaint with a supervisory authority;
g) where the personal data is not collected from the data subject, all available information about its source
facts;
(h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and,
at least in cases, useful information about the underlying logic, as well as the importance and expected consequences of it
that processing for the data subject.
2. When personal data is transferred to a third country or an international organization, the
the data subject has the right to be informed of the appropriate guarantee in accordance with Article 46 regarding the transfer.
3.The controller shall provide the data subject with a copy of the data being processed. If
the data subject requests additional copies, the controller may, on the basis of the administrative decision on the merits 63/2024 - 9/11
not to process personal data concerning him and, where that is the case, to
to inspect those personal data and the information included in this provision
information. A number of obligations arise from this
controller, in accordance with Article 12 GDPR on transparency
information and communication with regard to the data subject, as well as with regard to the
facilitating the exercise of the right of access by the data subject.
30. The Disputes Chamber draws attention to the fact that this right is available to the person concerned
must be exercised vis-à-vis the controller. It
the right of inspection can therefore be exercised exclusively by the data subject, in this case the complainant
with regard to the controller, being the healthcare provider. Not a single one
provision of the GDPR provides a basis for a data subject to have the right of access
to be exercised directly with regard to the processor to which the
controller applies. Since the defendant has the capacity
of the processor, the complainant cannot reasonably address the defendant
in order to gain access to the data concerning her.
31. From the documents in the file, in particular those submitted during the
mediation procedure at the First Line Service, it appears that the defendant has repeatedly
attempted to provide the complainant with information by alerting her to the request
available for inspection by any healthcare provider in their capacity
controller had to be addressed as well as by the complainant in the
within the framework of the mediation, to provide an overview of the practices that her
process personal data. Notwithstanding that under the GDPR there is no
obligation on the part of the defendant to comply with the request for access to the data
personal data processed by the healthcare providers via the software application
which were consulted by the complainant, the defendant attempted to contact the complainant
make it clear that she had to contact the relevant healthcare providers separately
address her request for inspection. During the hearing, the defendant repeated that
only the healthcare provider as controller can ask the defendant
to provide data to the data subject. Concretely in the present file, there is
by the defendant after information was obtained in the context of the
mediation procedure at the First Line Service, a search was made by the defendant
to the complainant. This search served to indicate which one
the controller should contact the complainant with her request for access
in order to enable the complainant to obtain an answer
her request for access.
charge a reasonable fee. When the data subject submits his request electronically, and not to another
request, the information will be provided in a common electronic form. Decision on the merits 63/2024 - 11/11
an objection petition must be submitted to the registry of the Market Court
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
(get). Hielke H IJMANS
Chairman of the Disputes Chamber
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.
19The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
