APD/GBA (Belgium) - 03/2021
APD/GBA - 03/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 6(4) GDPR Article 24(1) GDPR Article 24(2) GDPR Article 25(1) GDPR Article 25(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 13/01/2021 |
Published: | 13/01/2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 03/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 03/2020 van 13 januari 2021 (in NL) |
Initial Contributor: | Enzo |
The Belgian DPA upholds that sending a newsletter to all parents of the children of a school with the mail addresses visible in CC is a breach of the GDPR as this purpose is not compatible with the contractual necessity of communication between school and parents.
Furthermore, the school cannot rely on legitimate interest as other measures exist to not share the contact details with the other parents (BCC) and the parents do not expect their personal data from being further processed.
As such, the school does not comply with their responsibilities as controller nor does uphold the principles of data protection by design and default.
English Summary
Facts
A school sent a newsletter to all parents with all mail addresses of those parents visible in Carbon Copy (cc) as opposed to Blind Carbon Copy (BCC).
The school said that internal policies dictate that sending in BCC is mandatory in such cases. They also added that the time to unsent a mail has been changed from 5 seconds to 30 seconds. The school also apologises.
The complainant later adds that even after the school said they implemented those measures, they still continue to send out mails with the mail addresses in CC.
Dispute
Can mail addresses of parents of children of a school be made public under Article 5(1)(b) if this was not the initial purpose for which the personal data was collected?
If not, can the school rely on legitimate interest under Article 6(1)(f)?
Holding
The school communicates with the parents on ground of contractual necessity based on Article 6(1). Without the contact details, it is impossible for the school to communicate with the parents. As such, there is no free choice.
Article 5
The DPA then states that it is possible to process the contact details for other purpose than initially processed if the purpose is compatible with the original purpose and that it will assess whether it is possible to rely on Article 5(1)(b) in this case.
However, the DPA states that this is not within the reasonable expectations of the parents, as they only provided their contact details relative to the school. The other parents are not included in this relationship. As such, these purposes are incompatible.
As every processing of personal data needs to rely on a legal basis from Article 6(1), this processing is unlawful.
Article 6
The DPA then assesses whether the school could rely on the legal basis of legitimate interest under Article 6(1)(f). It confirms earlier case law of the CJEU in which three requirements have to be fulfilled, cumulatively; legitimate interest pursued by controller, necessity of the processing and fundamental rights and freedoms of the data subject do not override the legitimate interest.
Assessment of legitimate interest
Reaching all parents, simultaneously, can serve as a legitimate interest. However, the means to reach this goal are not necessary and a simple technical measure exists to not make the mail addresses visible (BCC). As stated above, the reasonable expectations of the parents are in their relationship to the school, and not to other parents. The parents do not expect any other processing.
As such, requirement two and three are not fulfilled.
The school breaches Article 6(1)(b) juncto Article 6(4) and Article 6(1)
Articles 24 and 25
Furthermore, as the school continued their processing, despite promising they wouldn't and despite the fact that they have internal policies regulating this, they failed to comply to Article 24(1), Article 24(2) and Article 25(1), Article 25(2)
No fine was imposed, but a reprimand and clear instructions to implement the necessary measures to become compliant within 3 months.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/11 Litigation chamber Decision on the merits 03/2020 of 13 January 2021 File number: DOS-2020-00608 Subject: Sending by school of a global e-mail with all recipients To Be Visible The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs. Christophe Boeraeve and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; . . . Decision on the merits 03/2021 - 2/11 has taken the following decision regarding: - X, hereinafter “the complainant” - Y, hereinafter “the defendant” 1. Facts and procedure 1. On January 30, 2020, the complainant lodged a complaint with the Data Protection Authority against the defendant. 2. The subject of the complaint concerns the sending by the defendant of an email with newsletter addressed to the parents of students throughout the school including all email addresses be visible to all recipients of the email concerned. 3. On February 17, 2020, the complaint will be declared admissible under Articles 58 and 60 WOG and the complaint on the basis of art. 62, §1 WOG submitted to the Disputes Chamber. 4. On April 3, 2020, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 WOG that it file is ready for treatment on the merits. 5. On April 3, 2020, the parties concerned will be notified by registered mail of the provisions as stated in article 95, §2, as well as those in art. 98 WOG. They are also on based on art. 99 WOG of the time limits for submitting their defenses. The deadline for receipt of the defendant's statement of response was thereby recorded on 18 May 2020, this for the complainant's reply on 8 June 2020 and this for the statement of defense of the defendant on 29 June 2020. 6. On May 18, 2020, the Disputes Chamber will receive the statement of defense from the defendant. In it, he confirms that Y will receive an email with the monthly news items on January 30, 2020 sent which concerned communication about the start-up of the nursery department by the municipality and a report that the school would be closed the next day. When sending the message the addresses of the parents were incorrectly placed in the field “Carbon Copy” (CC) instead from “Blind Carbon Copy” (BCC). The error was seen too late and an attempt to send it Undoing or withdrawing the mail failed. It was according to the defendant by no means the intention to put all addresses in CC. Decision on the merits 03/2021 - 3/11 7. Furthermore, the defendant adds three documents containing guidelines on the sending emails to external persons stating each time that email addresses are in BCC must be placed when sending an email in bulk. In addition, the default value to unsend an email, which is initially 5 seconds was now set to 30 seconds, so if in doubt the mail can still be sent withdrawn. 8. The defendant also apologizes to the complainant for disseminating his email address. 9. On 20 May 2020, the Disputes Chamber received the statement of reply from the complainant in which he stated that prior to the email of 30 January 2020 that is the subject of the complaint several times received e-mails from the defendant in which it had to establish that the email addresses were visible to all recipients. Notwithstanding the efforts which the defendant would have done, the complainant adds an email sent by the defendant on April 22, 2020, which shows that even after January 30, 2020, all e-mail addresses are visible to all recipients. 10. On May 22, 2020, the Disputes Chamber received the statement of reply from the defendant in which he indicates that he will take the necessary steps to ensure follow-up. 2. Legal basis - Article 5.1. b) GDPR: “Personal data must: […] b) for specified, explicitly defined and legitimate purposes are collected and may not be further used with those purposes are processed in an incompatible manner; further processing for the purpose of archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89 (1) are not considered incompatible with the original purposes ('purpose limitation'); ' - Article 6.1. AVG The processing is only lawful if and insofar as at least one of the the following conditions are met: […] Decision on the merits 03/2021 - 4/11 f) the processing is necessary for the representation of the legitimate interests of the controller or of a third party, except where the interests or the fundamental rights and freedoms of the data subject that protect personal data outweigh those interests, especially where the the person concerned is a child. […] - Article 6.4. GDPR: “When the processing is for a purpose other than that for which the personal data are collected is not based on the consent of the data subject or on any provision of Union law or a provision under member state law that is necessary in a democratic society and is a proportionate measure to ensure the benefits referred to in Article 23 (1) objectives, the controller keeps in assessing whether the processing for another purpose is compatible with the purpose for which the personal data initially collected include: a) any link between the purposes for which the personal data was collected and the purposes of the intended further processing; b) the framework in which the personal data were collected, in particular what the relationship between concerns the data subjects and the controller; c) the nature of the personal data, in particular or special categories of personal data are processed, in accordance with Article 9, and / or personal data about criminal convictions and offenses are processed in accordance with Article 10; d) the possible consequences of the intended further processing for the data subjects; e) the existence of appropriate safeguards, which may include encryption or pseudonymization. ” - Art. 24.1 and 2. GDPR: “1. Taking into account the nature, scope, context and purpose of the processing, as well as with the varying risks to rights and freedoms of natural persons, the controller takes appropriate action technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this regulation. Those measures are evaluated and updated if necessary. 2. When proportionate to processing activities, the data referred to in paragraph 1 measures an appropriate data protection policy adopted by the controller is executed. " Decision on the merits 03/2021 - 5/11 - Art. 25.1 and 2. AVG: “1. Taking into account the state of the art, the implementation costs, and the nature, the scope, context and purpose of the processing as well as with the probability and serious risks to the rights and freedoms of individuals the processing are connected, affects the controller, both in the determination of the processing means as in the processing itself, appropriate technical and organizational measures, such as pseudonymization, which are designed with the aim of the data protection principles, such as data minimization, in an effective way way and build in the necessary safeguards in the processing for compliance of the requirements of this Regulation and to protect the rights of the involved. 2. The controller takes appropriate technical and organizational measures to ensure that, in principle, only personal data are processed necessary for each specific purpose of the processing. That obligation applies to the amount of personal data collected, the extent to which they are processed, the period for which they are stored and their accessibility. These measures ensure in particular, ensure that in principle personal data does not occur without human intervention an unlimited number of natural persons are made accessible. " 3. Justification 11. The defendant has the contact details of the parents of students, including the complainant, in order to be able to communicate with them about information that is important in the context of the defendant's relationship with the students' parents. The The Disputes Chamber assumes that there is a legal basis for obtaining this information exists, as referred to in Article 6.1 of the GDPR, namely the necessity of the implementation of the agreement between the complainant and the defendant (Article 6.1.b). After all, it does not seem right in principle possible for students to receive education from a school, without the school having the email have data from (one of) the parents of the student. For that reason, consent is like legal basis in accordance with the conditions of Articles 4 (7) and 7 GDPR is not conceivable for obtaining the data. After all, parents of children do not have the freedom to choose whether or not to submit their contact details to the school. 12. The Disputes Chamber will examine to what extent the defendant can access the complainant's contact details with third parties, in the present case the parents of other students. Decision on the merits 03/2021 - 6/11 13. In accordance with article 5.1. b) GDPR may allow the processing of personal data for other purposes other than those for which the personal data were initially collected permitted if the processing is compatible with the purposes for which the personal data initially collected. Taking into account the criteria included in article 6.4. AVG and Recital 50 of the GDPR must thus be ascertained whether the further processing, in this case the communicating the complainant's contact details to the parents of others by e-mail learners, whether or not it is compatible with the initial processing consisting of the set of the complainant's contact details in the context of direct contact between the parents of students and the school. The Disputes Chamber comes to the decision that the complainant is has provided contact details within the framework of its relationship with the school (being the defendant) and it could not reasonably be expected that the school would do the same would share data with third parties who have their own link with the school, since it parents of other pupils, but who are outside the relationship between the complainant and the school stand. 14. This leads to the conclusion that there is no compatible further processing, so that a separate legal basis is required for the communication of the contact details of the the complainant could be considered legitimate to the parents of other students. 15. Processing of personal data, including incompatible further processing as in the present case, is only lawful if there is a legal basis for this. For incompatible further processing operations, it is necessary to fall back on article 6.1. AVG and recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis required for the processing of personal data for other purposes that are incompatible with the purposes for which the personal data was initially collected. That separate legal grounds on the basis of which a processing, including incompatible further processing, which can be considered lawful, are provided in article 6.1. AVG. 1 Recital 50 GDPR: […] To determine whether a purpose of further processing is compatible with the purpose for which the personal data were initially collected, the controller must, after he has complied with all rules on lawfulness of the original processing, including taking into account: a possible link between those purposes and the purposes of the intended further processing; the framework in which the data was collected; in particular, the reasonable expectations of data subjects based on their relationship with the controller regarding its further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and appropriate safeguards for both the original and the intended further ones processing. 2 Recital 50 GDPR: The processing of personal data for purposes other than those for which the personal data initially collected should only be allowed if the processing is compatible with the purposes for which the personal data was initially collected. In such case, no separate legal basis other than that on grounds for which the collection of personal data was permitted. […] Decision on the merits 03/2021 - 7/11 16. To this end, the Disputes Chamber will investigate to what extent the legal grounds as determined in Article 6.1. GDPR can be invoked by the defendant in order to further process the justify personal data relating to the complainant. 17. The defendant himself does not state any legal basis which would allow him to surrender proceed to the data processing that is the subject of the complaint, being the communication from the complainant's e-mail address to the parents of other students. In addition, the defendant expressly admits that this communication was an error and it was by no means intended was to put all email addresses in CC. The defendant does not therefore argue that the communication should take place and therefore does not try to justify it by itself rely on any legal basis. 18. On the basis of the factual elements present in the file, the Disputes Chamber proceeds ex officio whether, if necessary, a legal ground can be invoked that would allow the defendant to proceed with the sending of the mail containing it visible to all recipients e-mail address of the complainant. To this end, the Disputes Chamber will investigate whether the notification of the The complainant's e-mail address can be based on any legitimate interest on account of the defendant (Article 6.1. f) GDPR). The other legal grounds included in Article 6.1. points a), b), c), d) and e) GDPR are in present case not applicable. 19. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European Union (hereinafter “the Court”) three cumulative conditions must be fulfilled for a controller can validly invoke this ground of lawfulness, “te know, in the first place, the promotion of a legitimate interest of the controller or of the third party (ies) to whom the data are provided, in the second, the necessity of the processing of personal data for the purpose of the legitimate interest, and, thirdly, the condition that the fundamental rights and freedoms of the person concerned with data protection do not prevail ”(judgment “Rigas”). 20. In order to be able to rely on the lawfulness ground of the "Legitimate interest", in other words, must be indicated by the controller show that: 3HvJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA 'Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA, recital 40. Decision on the substance 03/2021 - 8/11 1) the interests pursued by this processing can be recognized as justified (the “target key”); 2) the intended processing is necessary for the realization of these interests (the “Necessity test”); and 3) the balancing of these interests against the interests, fundamental freedoms and fundamental rights of data subjects weighs in favor of the controller (the “balancing test”). 21. With regard to the first condition (the so-called “target test”), the Disputes Chamber of judge that the purpose is to simultaneously treat all the parents of the students reach by sending a single email is to be considered carried out with a legitimate interest in mind. The interest that the defendant as controller may in itself, in accordance with Recital 47 GDPR, be considered justified. Hence, the first condition is satisfied in Article 6.1, f) GDPR. 22. In order to meet the second condition, it must be demonstrated that the processing necessary for the achievement of the objectives pursued. This means more stipulates that the question should be asked whether the same result can be achieved by other means are achieved without processing of personal data or without unnecessarily invasive processing for the data subjects. 23. Based on the purpose of reaching the parents of students in a single email mail, the Dispute Chamber must establish that there is a simple technical means that allows you to reach the intended recipients of the e-mail in a single movement without that the email addresses of everyone are visible, namely the transmission in BCC instead of in CC. The second condition is thus not satisfied because of the principle of minimal data processing (Article 5.1. c) GDPR) has not been complied with. 24. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called “Balancing test” between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should reasonable, in accordance with Recital 47 GDPR expectations of the data subject. More specifically, it should be evaluated whether “data subject at the time and in the context of the collection of the personal data is reasonably permitted expect processing to take place for that purpose ”.4 4 Recital 47 GDPR. Decision on the merits 03/2021 - 9/11 25. This is also emphasized by the Court in its judgment “TK t / Asociaţia de Proprietari bloc M5A- ScaraA ”of December 11, 2019, in which it states: “Also relevant to this assessment are the reasonable expectations of the data subject that are or her personal data will not be processed when, in the circumstances of the case, the data subject cannot reasonably further process the data expect". 26. With regard to this third condition, the Disputes Chamber can only establish that the complainant is on could not expect any moment of sharing his email address with the parents of others pupils. 27. The Disputes Chamber is of the opinion that the totality of the elements set out demonstrates that the defendant cannot rely on any legal basis proving its legality of the data processing as set up by him. In addition, the defendant disputes not the facts and states that in the relevant e-mail that is the subject of the complaint the complainant's e-mail address was placed in the field “CC” instead of “BCC” (BCC), although this was not done intentionally. By doing so, he indicates that he has committed an infringement of the processing of the complainant's personal data. The Disputes Chamber thus concludes that the infringement of Article 5.1.b) in conjunction with Article 6.4. GDPR, and Article 6.1. AVG has been proven. 28. Despite the fact that it appears from the documents submitted by the defendant that there is within the school general guidelines have been drawn up whereby the recipients must be entered in BCC in global emails the complainant shows that these guidelines are not being put into practice. Not only the email dated January 30, 2020 to which the complaint relates, respects it Directive, but also in the e-mail dated April 22, 2020 enclosed by the complainant in his opinion of reply, that rule is not applied. The defendant does not disprove this, but merely states that the case will be followed up. The Disputes Chamber is of the opinion that the violation of art. 24.1 and 2, and art. 25.1. and 2. AVG is proven. 29. Moreover, the Disputes Chamber is of the opinion that a school should be transparent about the way in which it processes (communication) data from parents and develops a policy for this purpose. The Disputes Chamber therefore recommends that the defendant develop such a policy, which serves to ensure that communication with parents takes place in accordance with art. 24.1 and 2, and art. 25.1. and 2. GDPR. 5 CJEU, 11 December 2019, C-708/18, TK to Asociaţia de Proprietari bloc M5A-ScaraA, recital 58. Decision on the substance 03/2021 - 10/11 30. Since this problem affects all schools in Belgium, the Disputes Chamber considers it decision as an incentive for schools to handle parental data with care and to develop a policy to this end. An important part of that would be further processing of data, whereby - in the cases in which Article 6.1. f) GDPR cannot be applied, consent can be used as a legal basis. For example when that data processed for the purpose of communication between parents. 31. It is important here that schools bear in mind that, as a general rule, it should come first that if consent has been given, further processing is only possible within the scope of that consent. After all, consent must be granular. If parents consent for the use of communication data by the school in the context of communication with other parents, the same data may not be passed on to third parties, for example for direct marketing (for eg school books). If the school wanted that information anyway pass it on for direct marketing purposes, the school must give it permission again ask the parents. This is also in accordance with the guidelines of the European Committee for Data Protection (EDPB) regarding consent which contains in essence that the controller prior to the collection of personal data must determine the legal basis on which the processing is based and cannot switch to the legal basis "legitimate interest", when the further processing does not fit within the initial legal basis "consent" on the basis of which the data was collected. 32. The Disputes Chamber is of the opinion that the following sanctions are sufficient, also in view of the the fact that the defendant himself admits that an error has occurred and is willing to do the same avoid facts in the future. 6 Recital 43 GDPR: […] Consent is deemed not freely given if no separate consent can be given for different personal data processing operations despite the fact that this is appropriate in the individual case is, or if the performance of an agreement, including the provision of a service, depends on the consent despite the fact that such consent is not necessary for that performance. 7 Guidelines 05/2020 on consent under Regulation 2016/679 (for the time being there is no official Dutch translation available) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf: 121. Article 6 sets the conditions for a lawful personal data processing and describes six lawful bases on which a controller can rely. The application of one of these six bases must be established prior to the processing activity and in relation to a specific purpose. 122. It is important to note here that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent. Sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals. 123. In other words, the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively utilize the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Because of the requirement to disclose the lawful basis, which the controller is relying upon at the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful base is. Decision on the merits 03/2021 - 11/11 33. Considering the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision is made in accordance with Article 100, §1, 16 ° WOG published on the website of the Data Protection Authority with the omission of the identification data of the parties, given that identification data is not necessary and relevant in the publication of the decision. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - to formulate a reprimand on the basis of Article 100, §1, 5 ° WOG with regard to the defendant. - on the basis of Article 100, §1, 9 ° WOG, order the defendant to commence processing to bring it into line with Article 24.1. and 2. GDPR and Articles 25.1 and 2. GDPR. The Disputes Chamber gives the defendant a period of three months for this and expects the Disputes Chamber that the defendant will report to it by March 31, 2021 on the bringing the processing into line with the aforementioned provisions. Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within one term of thirty days, from the notification, at the Marktenhof, with the Data protection authority as defendant. (get.) Hielke Hijmans Chairman of the Disputes Chamber