APD/GBA (Belgium) - 52/2024
APD/GBA - 52/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 6 GDPR Article 32(1)(b) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | |
Published: | 03.04.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 52/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | nzm |
The DPA found that wrongly addressing an email to a third person cannot be considered as a further processing as the controller had not established a legal basis for this processing in advance.
English Summary
Facts
In the context of the sale of a property, a notary (“controller”) sent the data subject’s personal details (name, address, civil status, date of birth, nation register numbers of their heirs) to an incorrect addressee. The latter informed all addressees by email that she had mistakenly received the email.
The data subject lodged a complaint with the Belgian DPA (“APD”).
Holding
Regarding the lawfulness of processing, under Article 5(1)(b) GDPR, the processing of personal data for purposes other than those for which the personal data were initially collected can be authorized if the processing is compatible with the purposes for which the personal data were initially collected. The APD went on to examine if the sending of the email to the third person was compatible with the initial processing.
The APD indicated that further processing is only lawful if there is a legal basis. The third person indicated that they were “wrongly addressed” and that the controller itself referred to the third person as “wrongly addressed”. Therefore, it could be understood that forwarding the personal data to the third person was not the controller’s purpose. Thus, the APD decided that the processing could be classified as an error and not as a processing for which the controller had established a legal basis in advance. The APD concluded that there may have been a breach of Articles 5(1)(a), 5(1)(b) and 6 GDPR.
Regarding the principle of integrity and confidentiality, Articles 5(1)(f) and 32(1)(b) GDPR establish that the controller must implement appropriate technical and organizational measures to ensure appropriate security of the personal data. The APD considered that there was a breach of confidentiality, namely an unauthorized disclosure of personal data. Therefore, the APD held that the technical and organizational measures taken by the controller may have been insufficient to avoid such a breach, violating Articles 5(1)(f) and 32(1)(b) GDPR.
Regarding the notification of the data breach to the supervisory authority, Article 33(1) GDPR provides that the controller is obliged to notify the competent national supervisory authority without undue delay and where feasible, no longer than 72 hours after becoming aware of it, unless the breach is not likely to pose a risk to the rights and freedoms of the data subjects. In the present case, the APD noted that the controller received confirmation that the third person did not open the attachments to the email and immediately deleted it. Therefore, the APD considered that the data breach was unlikely to pose a risk to the rights and freedoms of the data subject and that there was no obligation to notify the DPA.
The APD decided, prima facie, that there may have been violations of Articles 5(1)(a), 5(1)(b), 5(1)(f), 6 and 32 GDPR and issued a warning against the controller.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7 Dispute Chamber Decision52/2024 of April 3, 2024 File number: DOS-2024-00220 Subject: Complaint due to sending an e-mail with personal data of the complainant to wrong addressee The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: X, hereinafter “the complainant” The defendant: Y, hereinafter “the defendant” Decision 52/2024 — 2/7 I. Facts and procedure 1. On January 5, 2024, the complainant submits a complaint to the Data Protection Authority against the defendant. 2. The subject of the complaint concerns the sending by the defendant of an e-mail with personal data of the complainant to an incorrect addressee. The defendant resigned acts as a notary in the context of the sale of real estate of a testator. On 30 In November 2023, the defendant sent an email to the heirs with attachments the draft of the deed of sale and the settlement. These attachments contain the names, addresses, marital statuses, dates of birth, and national register numbers of the 17 heirs, including the complainant. The defendant also sent this email to a wrong person third person addressee. This person sent an email to all on December 1, 2023 recipients know that they received the email in error. 3. On January 30, 2024, the complaint will be declared admissible by the First Line Service on on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1 2 of the WOG transferred to the Disputes Chamber. 4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations order of the GBA, the parties can request a copy of the file. If one both parties wish to make use of the opportunity to consult and copying the file, he or she must contact the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be. II. Justification II.1. The lawfulness of the processing 5. In accordance with Article 5.1.a) and Article 6.1 of the GDPR, any processing of personal data is based on a legal basis prior to processing determined by the controller. 6. In the present case, the defendant acted as a notary in the context of the sale of immovable property of a testator. To this end, the defendant processed, among other things, the personal data of the complainant, as the latter was an heiress. The complaint relates to the fact that the defendant in that context has accessed the personal data of the 1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible declared. 2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to has been transferred to her as a result of this complaint. Decision 52/2024 — 3/7 complainant forwarded it to a third person by email. The Disputes Chamber will follow suit to determine whether this further processing can be considered lawful. 7. To begin with, the Disputes Chamber notes that the addressed third person, after the received the email, it sent the following to all recipients: “Wrong email address this is not for me”. In her email to the complainant on December 4, 2023, refers furthermore, the defendant also refers to the third person as “the wrong addressee”. Since the third person - as the defendant also indicates - was incorrectly addressed was, it can be understood that sending the email to the third person does not lead to the original purpose of the processing of the personal data. 8. In accordance with Article 5.1.b) GDPR, the processing of personal data for other purposes other than those for which the personal data was initially collected be permitted if the processing is compatible with the purposes for which the personal data was initially collected. Taking the criteria into account included in article 6.4 GDPR and recital 50 GDPR, it must be determined whether the further processing, in this case the sending of the email to the third person, then is not compatible with the initial processing in the context of the sale of the property property of the testator. When assessing this, the reasonable expectations of the person concerned plays an important role. In the present case, the complainant could not reasonably have done so expect that the defendant would share the data with the third person, since this person is not involved in the sale of the property. 9. This leads to the conclusion that there may be an incompatible further processing. In that case, a separate legal basis would be required for it sending the complainant's personal data to the third party as lawful could be considered. 10. Processing of personal data, including incompatible processing processing as – possible – in the present case, is only lawful if there is such a reason legal basis exists. For incompatible further processing reverted to Article 6.1 GDPR. Article 6.1 of the GDPR stipulates that the processing must take place on the basis of one of the following legal bases: the data subject has has given permission for the processing of his personal data for one or more specific purposes (Article 6.1.a) GDPR); the processing is necessary for the execution of an agreement to which the data subject is a party or for the execution of pre-contractual measures taken at the request of the data subject (Article 6.1.b) GDPR); the processing is necessary to comply with a legal obligation controller is subject (Article 6.1.c) GDPR); the processing is necessary for the vital interests of the data subject or of another natural person to protect (Article 6.1.d) GDPR); the processing is necessary for the fulfillment of a Decision 52/2024 - 4/7 task of general interest or a task in the context of the performance of public duties authority vested in the controller (Article 6.1.e) GDPR) or the processing is necessary for the pursuit of the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject which are intended to protect personal data outweigh those interests, especially when the the data subject is a child (Article 6.1.f) GDPR). 11. As noted in paragraphs 7 and 8 of this decision, the third person was “wrongly” addressed. Since the defendant himself also refers to the third person refers to as the “wrong recipient”, it can be interpreted as forwarding of the personal data to the third person was not the purpose of the defendant. The the processing in question could thus be regarded as an error, and not as a processing for which the defendant had established a legal basis at the outset. On on this basis, the Disputes Chamber is of the opinion that the defendant is prima facie opting out can rely on any legal basis from which the lawfulness of the processing would appear. 12. Based on the foregoing reasoning, the Disputes Chamber judges that it is possible Article 5.1.a), Article 5.1.b) and Article 6.1 of the GDPR has been infringed. II.2. The basic principle of integrity and confidentiality 13. According to Article 5.1.f) and Article 32.1.b) GDPR, personal data must be “by taking appropriate technical or organizational measures in such a way processes that appropriate security is guaranteed, and that they, among other things, are protected against unauthorized or unlawful processing and against accidental processing loss, destruction or damage”. 14. Based on the documents from the file, the Disputes Chamber determines that the personal data of the complainant without legal basis was communicated to a third person. There has been a breach of confidentiality, namely a unauthorized or unintended disclosure of or access to personal data. It can therefore be concluded that the technical and organizational measures that the defendant had or had not taken were insufficient to justify such an infringement It is therefore possible that the defendant has failed to take appropriate technical measures to establish organizational measures. 15. Based on the foregoing reasoning, the Disputes Chamber judges that it is possible Article 5.1.f) and Article 32.1.b) GDPR have been infringed. Decision 52/2024 — 5/7 II.3. Notification of a personal data breach to the supervisory authority authority 16. A data breach as defined in Article 4.12 GDPR is “a security breach more accidentally or unlawfully leads to destruction, the loss, alteration, unauthorized disclosure or unauthorized access to data transmitted, stored or otherwise processed”. 17. The Disputes Chamber recalls that when such an infringement occurs in connection with personal data occurs, Article 33.1 GDPR stipulates that the controller is obliged to do this “without unreasonable delay and, if possible, no later than 72 hours after [the controller] becomes aware of it taken” to the competent national supervisory authority, unless it is not it is likely that the data breach poses a risk to the rights and freedoms of natural persons. If the infringement is likely to be a high poses a risk to the rights and freedoms of natural persons controller on the basis of Article 34.1 GDPR, Gook obliges this infringement to the persons whose personal data the infringement relates to. 18. In the present case, the Disputes Chamber notes that the defendant has legal action undertaken to avert risks to the rights and freedoms of natural persons. In her email of December 4, 2023 to the complainant, the defendant indicates that it has received confirmation from the misdirected third party that this last but not least, the attachments to the email (the draft of the deed of sale and the settlement). opened it and immediately deleted the email. On that basis it can be understood that it is prima facie not likely that the infringement in connection with personal data poses a risk to the rights and freedoms of natural persons. In that case, there would be no obligation to report the infringement to the Data Protection Authority, or to communicate the infringement to the persons affected by it personal data the infringement relates to. III. Decision 19. The Disputes Chamber is of the opinion that on the basis of the above analysis concluded that the defendant may have violated the provisions of the GDPR committed, which justifies taking a decision in this case decision on the basis of Article 95, § 1, 4° of the WOG, more specifically the defendant warn that providing personal data to a third person without any applicable legal basis, constitutes unlawful processing and a constitutes an infringement of the integrity and confidentiality of the processing. Decision 52/2024 — 6/7 20. This decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant, in the context of the “procedure prior to the decision on the merits” 3 and none decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. 21. The purpose of this decision is to inform the defendant of the fact that it may have committed an infringement of the provisions of the GDPR and this is in the the opportunity to still comply with the aforementioned provisions. 22. If the defendant does not agree with the content of this prima facie case decision and is of the opinion that it can put forward factual and/or legal arguments that could lead to a new decision, it can request a reconsideration submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction 99 of the WOG, known as a “treatment on the merits”. This request must be sent to the email address litigationchamber@apd-gba.be within a period of 30 days after notification of this primafacie decision. If applicable, implementation will take place of this decision is suspended for the above-mentioned period. 23. In the event of a continuation of the merits of the case, the Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite them to submit their defenses as well as any documents they consider useful in the case file to add. If necessary, the present decision will be permanently suspended. 24. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits 4 of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 3Section 3, Subsection 2 of the WOG (Articles 94 to 97). 4Article 100. § 1. The Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the dismissal of prosecution; 3° order the suspension of the ruling; 4° to propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° to order that the person concerned is informed of the security problem; 8° order that processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10°the rectification, limitation or deletion of data and its notification to the recipients of the data recommend data; 11° order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or an international institution command; 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.