APD/GBA (Belgium) - 63/2024

From GDPRhub
APD/GBA - 63/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(7) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 25.04.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 63/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: nzm

The DPA found that the administrator of a software platform allowing people to book doctor's appointments was a processor as it did not determine the purposes of the processing, and did therefore not have to respond to an access request. The purposes were determined by the health care institutions.

English Summary

Facts

A data subject exercised their right of access with the administrator of the software platform for an app and website (‘administrator’). This app and website allowed patients to browse medical practices, identify themselves, choose the doctor with whom they want the appointment, choose the desired time slot and confirm the appointment.

The administrator of the platform indicated that they were merely acting as a processor and processing personal data on behalf of the health providers. It also provided the data subject with a list of doctors with whom the data subject is in the database.

The data subject considered this response insufficient and claimed that the administrator was indeed responsible for the processing. They therefore lodged a complaint with the Belgian DPA ('GBA').

Holding

Firstly, regarding controllership, the GBA indicated that the GDPR defines a 'controller' as the person who determines the purposes and means of the processing of personal data. The DPA added that the CJEU held that the concept of ‘controller’ should be interpreted broadly (CJEU, 10 July 2018, Jehovan todistajat, C-25/17).

Additionally, the EDPB Guidelines on the concepts of controller and processor in the GDPR indicate that the controller is not necessarily someone who actually has access to the data being processed. For example, someone who outsources a processing activity and has a determinative influence on the purpose and essential means of the processing is to be regarded as a controller (§45 of the EDPB Guidelines).

In the present case, the GBA found that the purpose of the app and website was to have an online scheduling system, exchange data with other apps and make fully automated appointments. Therefore, the purpose was determined autonomously by the healthcare provider. The administrator simply provided an online calendar system to achieve this purpose. Therefore, the healthcare providers were considered controllers.

The GBA then noted that to be considered a processor within the meaning of the GDPR, two central conditions must be met: (i) it must be a natural or legal person and (ii) it must process personal data on behalf of the controller.

Regarding the first condition, the GBA held that the healthcare providers decided to outsource the activity consisting of online registration of patient appointments to the administrator of the platform which is an external organisation, separate from the healthcare providers practice. Therefore, the administrator had a legal personality.

Regarding the second condition, the GBA noted that the processing agreements showed that the processing activity was carried out exclusively according to the written instructions of the healthcare providers. They also expressly provided that the administrator would not process personal data for any purpose other those specified by the healthcare provider. The privacy policy also specified that the administrator was only responsible for the technical functioning of the platform, while the healthcare providers were responsible for determining the purpose and content of the processing operations.

Therefore, the GBA held that the administrator was in fact a processor.

Secondly, regarding the right of access, the GBA pointed out that the rights available to the data subject must be exercised vis-à-vis the controller. It indicated that no provision of the GDPR provides a basis for the data subject to exercise their right of access directly with the processor.

In the present case, the processor repeatedly attempted to provide information to the data subject explaining that their access request should be addressed to each healthcare provider. The DPA also noted that the administrator even informed them of the databases of healthcare providers in which they could be found, which was a good practice and facilitated the exercise of the data subject's rights.

Therefore, the GBA concluded that there was no violation of Article 4(7) GDPR, read in conjunction with Articles 12(3), 12(4) and 15(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/11



                                                                          Dispute Chamber


                                       Decision on the merits63/2024 of April 25, 2024


File number: DOS-2022-01907


Subject: Exercise of the right of access



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;


Considering the documents in the file;



Has made the following decision regarding:


Complainant: Mrs.


The defendant: Y, hereinafter “the defendant” Decision on the merits 63/2024 — 2/11


I. Facts and procedure


 1. On February 4, 2023, the complainant submits a complaint to the Data Protection Authority

       against defendant.


 2. The subject of the complaint concerns the complainant's exercise of the right of access,
       in which it addresses its request to the defendant, being the administrator of the software

       platform for an online agenda system. The complainant's request was not acted upon

       given by the defendant. In the context of the subsequent mediation that

       took place at the level of the First Line Service, the defendant responded and

       indicated to act in the capacity of processor and only the personal data

       to be processed on behalf of customers who use the software platform

       the defendant. The defendant provided the complainant with an overview of the customers
       where the complainant is located in the database, so that the complainant can access the information he or she wishes

       can address the defendant's customers with a request for access. According to the complainant this is

       response from the defendant is inadequate, as it states that the defendant

       is responsible for the personal data processed via the platform and

       would thus have acted in violation of article 4.7) GDPR, articles 12.3 and 12.4 GDPR in conjunction

       Article 15.1 GDPR.

 3. On February 16, 2023, the complaint will be declared admissible by the First Line Service on

       on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG

       transferred to the Disputes Chamber.

 4. On July 31, 2023, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98WOG

       that the file is ready for treatment on the merits and the parties involved will be notified by email

       notified by registered mail of the provisions stated in Article 95, § 2,

       as well as of this in article 98WOG. They are also informed on the basis of article 99WOG

       of the time limits for submitting their defenses.

       The deadline for receipt of the defendant's statement of defense was

       recorded on September 22, 2023, for the complainant's response

       on October 13, 2023 and this for the conclusion of the defendant's reply on November 3

       2023.

 5. On July 31, 2023, the defendant requests a copy of the file (Article 95, § 2, 3° WOG),

       which was transferred to him on August 8, 2023.


 6. On September 22, 2023, the Disputes Chamber will receive the response statement
       the defendant who essentially claims to carry out the data processing on behalf of the defendant

       of the controllers on the defendant's SaaS offering



1
 Software as a Service Decision on the merits 63/2024 — 3/11


     entered into force and as a result of which the defendant intends to act as processor. The defendant

     explains that his role as a processor entails that he has no obligation

     to comply with Articles 12.3 and 12.4 GDPR and Article 15.1 GDPR. Insubordinate order

     the defendant indicated that the complainant was requested to provide additional information
     with a view to correct verification of her personal data in order to provide an appropriate response

     can give to the controller, being a healthcare provider,

     in accordance with the agreed obligations under the processing agreement, but that

     cooperation from the complainant to provide this information has not been forthcoming. The

     Defendant subsequently provided transparent and understandable information several times

     was provided to the complainant in relation to the access request.

7. On September 6, 2023, the parties will be notified that the Disputes Chamber

     proceeds ex officio to set a hearing for which the date is set

     recorded on November 23, 2023.

8. On October 13, 2023, the Disputes Chamber will receive a letter from the complainant stating:

     reported that not all documents in the file could be consulted electronically and

     that in the absence of all information it was not possible to submit a reply statement

     within the established conclusion period. The Disputes Chamber will then make the requested decision

     documents to the complainant by post.

9. On October 26, 2023, the hearing date will be postponed to December 14, 2023,

     whereby a (new) deadline for receipt of the response statement

     complainant was committed on November 8, 2023 as well as for the conclusion of the reply of the
     defendant on November 29, 2023.


10. Notwithstanding the extension of the conclusion periods, no new conclusions will be issued

     submitted to the Disputes Chamber.

11. On December 14, 2023, the defendant will be heard by the Disputes Chamber. The complainer

     who was duly summoned, reports by letter received by the Disputes Chamber on 13

     will not be published until December 2024.

12. The minutes of the hearing will be sent to the parties on December 21, 2023

     submitted.


13. On December 22, 2023, the Disputes Chamber will receive a single letter from the defendant
     comment regarding the official report, which she decides to include

     her deliberation. Decision on the merits 63/2024 - 4/11


II. Justification



         a) Capacity of the defendant

 14. In order to fulfill the obligations that the defendant must comply with in accordance with the


       GDPR, it must be determined in advance in which capacity the

       defendant acts with regard to the data processing that is the subject

       of the complaint. It is crucial that it is investigated whether the defendant acts as
                                                             2 3
       controller (Article 4.7) GDPR) or as processor (Article 4.8) GDPR).


 15. The defendant argues that it merely acts as a processor, not as a processor

       controller. The Disputes Chamber examines whether the principle that the

       defendant should only be regarded as a processor in accordance with the
                                                                                                            4
       (broad) interpretation of the concept of controller by the Court of Justice

       and the European Data Protection Board (EDPB), in particular in the Guidelines 07/2020

       about the concept of controller.


 16. The GDPR defines a “data controller” as the entity that, alone or jointly

       with others, the purposes and means of processing the personal data

       determines . This definition must be understood in the light of the objective of the

       legislator to assume primary responsibility for the protection of personal data

       to the entity that actually exercises control over the data processing.

       This means that not only the legal qualification must be taken into account,

       but also with the actual reality. 6


 17. The EDPB has clarified that the concept of controller is based

       is on the influence of the controller on the processing, on the basis of a

       decision-making power or control over processing activities. Such control is possible





2Article 4 GDPR;

For the purposes of this Regulation the following definitions apply:
[…]

(7) 'controller' means a natural or legal person, public authority, agency or other
body that, alone or jointly with others, determines the purposes and means of the processing of personal data
establishes; when the purposes and means of this processing become established in Union or Member State law
established, it can be determined who the controller is or according to what criteria he or she will become the controller
designated;
3
 Article 4 GDPR;
For the purposes of this Regulation the following definitions apply:

[…]

(8) 'processor' means a natural or legal person, public authority, agency or other body
processes personal data on behalf of the controller;
4See, among others, CJEU, Judgment of 10 July 2018, Jehovan todistajat, C-25/17, ECLI:EU:C:2018:551, pt 66, and most recently judgment of
March 7, 2024, IAB Europe, C-604/22, ECLI:EU:C:2024:214, pt 55.

5Art. 4.7) GDPR
6
 L. A. YGRAVE & L. OSONI, “Article 4(7). Controller” in The EU General Data Protection Regulation. A Commentary, Oxford
University Press, 2020, p. 148. Decision on the merits 63/2024 – 5/11


       arise from legal provisions, arise from an implied authority or

       are based on the exercise of actual influence. Essentially it comes down to determining the

       purposes and means correspond to determining the why and the, respectively


       how of the processing: for a specific processing activity the

       controller is the person who exerts influence on the processing of

       personal data and therefore determines why the processing takes place (i.e. for what purpose

       or for what) and how that goal will be achieved (i.e. what means will be used

       used to achieve the goal). 8


 18. The power to determine the means and purposes of processing activities,
                                                                                    9
       can first of all be linked to the functional role of an organization. The

       responsibility are assigned based on the contractual provisions between

       the parties involved, although these are not always decisive, or on the basis of a

       assessment of a party's actual control. This way, the recording of the

       means and purposes result from a decisive influence over the processing, more

       determined as to the reason why processing takes place in a certain manner. 11


 19. In its Jehovah's Witnesses judgment, the Court of Justice gives a broad interpretation to the concept

       controller. This judgment emphasizes that the definition of

       controller must be interpreted broadly in order to ensure an “effective and

       full protection of data subjects', as well as that there is no access

       until the personal data concerned is required to act as a controller

                              14
       to qualify.

 20. The determining elements to determine whether the data processing takes place in the

       capacity as controller or as processor are the purposes


       and the means, more specifically the extent to which decision-making power is available

       is present.

 21. In concrete terms, in this case the data processing was carried out by the defendant

       is carried out using a software application based on web technology




7EDPB – Guidelines 07/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 20 ff.
8Ibidem, para. 35.

9D. De Bot, The application of the General Data Protection Regulation in the Belgian context, Wolters Kluwer,
2020, para. 362.
10
  D. De Bot, The application of the General Data Protection Regulation in the Belgian context, Wolters Kluwer,
2020, para. 363-365.
1EDPB – Guidelines 7/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 20.

12CJEU Judgment of 10 July 2018, Jehovan todistajat, C-25/17, ECLI:EU:C:2018:551.
13
  CJEU Judgment of 13 May 2014, Google Spain and Google and Others, C-131/12, ECLI: EU:C:2014:317, para. 34; see also the discussion
regarding the scope of the concept in C. DOCKSEY and H. HIJMANS, “The Court of Justice as a Key Player in Privacy and Data
Protection”, European Data Protection Law Review, 2019, ep. 3, (300)304.
14CJEU Judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat - uskonnollinen yhdyskunta, C-25/17,

ECLI:EU:C:2018:551. See also EDPB - Guidelines 07/2020 on the concepts of controller and processor in
the GDPR, v2.0, 2021, para. 45. Decision on the merits 63/2024 - 6/11


     based appointment system. In order to reduce the impact of the defendant on the purpose

     and to be able to assess the resources, insight must first be gained into the

     operation of this application. This goes as follows:

       a. The patient surfs to the medical practice's website or uses the app;


       b. The patient identifies himself in the online agenda system. The user of the

           application, in this case the healthcare provider, chooses how the patient can register,
           namely via 1) username and password; 2) name, first name and date of birth;

           3) e-ID, 4) national register number or 5) social media account;


       c. The patient chooses the doctor with whom he/she wants an appointment;

       d. The patient may choose an appointment category;


       e. The patient chooses the desired time slot;

       f. The patient optionally fills in additional comments;

       g. The patient confirms his/her appointment.


22. The defendant then checks whether the relevant personal data of the

     the patient involved is present in the healthcare provider's database. If this is the case

     is, thank the patient to make an appointment. If this is not the case, thank the patient
     either register manually or be denied access if the

     healthcare provider does not wish to accept new patients.


23. Based on the elements present in this file, the Disputes Chamber determines that
     the intended purpose is to have an online agenda system that

     makes it possible to make appointments and receive appointment reminders, data

     to exchange with other applications and to make fully automatic appointments per

     telephone. This purpose arises from the need for the healthcare provider to

     to be able to register appointments with patients in an efficient and efficient manner. This means

     that the purpose is determined completely autonomously by the healthcare provider and the online
     the defendant's agenda is merely a means to achieve this end.

     It is certain that only healthcare providers who are of the opinion that the

     defendant offered an application with the options offered by the online agenda system

     offers to register appointments with patients, also meets their specific needs

     will actually appeal to the defendant and proceed to conclude

     an agreement with the defendant. The healthcare provider does not decide on this alone
     purpose, but decides entirely on his own about which means he believes are the most adequate

     to achieve the goal he pursues. In addition, the defendant has a

     purely intermediary role in the sense that it only controls the distinct functionalities of the

     proposes and offers an application. However, it is only the healthcare provider who, in function, decides on the merits 63/2024 - 7/11



       of the purpose it pursues, the functionalities that the application chooses

       if it offers application possibilities, he wishes to use it. Since both it

       purpose if the means to this end is determined exclusively by the healthcare provider, must be indicated

       they are therefore assigned the status of controller.

 24. The defendant, on the other hand, meets the two central conditions for being a processor

       within the meaning of Article 4. 8) GDPR, namely:


       a) it is a separate legal entity from the controller, i.e. the

           healthcare provider, state and

       b) it processes the personal data on behalf of the controller.


 25. The healthcare providers, often a practice of healthcare providers, decide on the activity

       consisting of the online registration of appointments with patients to be outsourced to the

       defendant who is an external organization completely separate from the practice for which the

       healthcare providers. The defendant also has the required legal personality,

       as it has taken the form of a private limited company.

 26. The processing agreements that the defendant has provided show that the

       processing activity is carried out under strict obligation for the defendant to

       to carry them out in accordance with and only in accordance with the written instructions

       of the care provider. The Disputes Chamber notes that there is no room for this

       the defendant to use the personal data obtained for any other purpose

       processing purpose. It also expressly stipulates that the defendant

       will not process personal data for any purpose other than as stated by the

       care provider has been determined and in that sense the requirement is therefore also met

       Article 28.10 GDPR to be considered a processor. One's own purpose

       After all, the data obtained is completely absent on behalf of the defendant

       data is only processed for the benefit of the healthcare provider. This is also emphasized in

       the privacy statement 16 provided by the defendant. This is explicit

       stated that the defendant is only responsible for the technical functioning of the

       platform, where healthcare providers are responsible for determining the purpose and

       content of the data processing.






15
  EDPB – Guidelines 07/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 73 – 84.
16Privacy Statement Y point 3.1. under title 3. Who processes the personal data:
“With regard to the Indirect Users of the Platform, the Direct User himself will have the capacity

acquire from controller. The Direct User understands that Y in this context only as a processor
who is responsible for the proper functioning of the Platform.”
In the privacy statement, title 1 Definitions indicates what interpretation should be given to “Direct
User” and “Indirect User”, which respectively is referred to healthcare providers and patients. This will be
reaffirmed in the defendant's conclusion. Decision on the merits 63/2024 - 8/11


 27. The capacity of the defendant as a processor is also confirmed by the fact that the concrete

       processing activity of the defendant as a service provider who processes the personal data of

       the patient processes in his relationship with the healthcare provider in order to be able to proceed with the

       registration of an appointment between patient and healthcare provider takes place on behalf of

       the healthcare provider who has absolute control over data processing. The

       The nature of the service is decisive in the sense that in order to become a processor

       the service must be specifically aimed at the processing of

       personal data or the processing must constitute an essential aspect of that service.

       The software application offered by the defendant is essentially aimed at the

       processing personal data of patients as provided by the healthcare provider

       and which are necessary to be able to proceed with the registration of only

       agreements with the relevant healthcare provider without the defendant having to do so

       offers file management of health data and without the defendant even

       has any influence on the determination of the purposes and means of the processing.


 28. Since the Disputes Chamber is of the opinion that it is established that the defendant is acting

       as a processor, this has consequences for the data protection obligations that

       arise from this. Below, the Disputes Chamber will discuss this from this perspective

       defendant has the capacity of processor, the exercise of the right of access

       that is the subject of the complaint.


        b) Right of access

                                                                     17
 29. The right of access as included in Article 15.1 GDPR stipulates that the data subject has the

       has the right to obtain confirmation from the controller as to whether



17
  1.The data subject has the right to obtain confirmation from the controller as to whether or not
process personal data concerning him and, where that is the case, to obtain access to them
personal data and the following information:
a) the purposes of processing;

b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular

recipients in third countries or international organizations;
d) where possible, the period for which the personal data is expected to be stored, or if
that is not possible, the criteria for determining that period;

e) that the data subject has the right to request that personal data be deleted from the controller
rectified or deleted, or that the processing of personal data concerning him is restricted, as well as the right
to object to that processing;
f) that the data subject has the right to lodge a complaint with a supervisory authority;

g) where the personal data is not collected from the data subject, all available information about its source
facts;
(h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and,

at least in cases, useful information about the underlying logic, as well as the importance and expected consequences of it
that processing for the data subject.
2. When personal data is transferred to a third country or an international organization, the
the data subject has the right to be informed of the appropriate guarantee in accordance with Article 46 regarding the transfer.

3.The controller shall provide the data subject with a copy of the data being processed. If
the data subject requests additional copies, the controller may, on the basis of the administrative decision on the merits 63/2024 - 9/11


      not to process personal data concerning him and, where that is the case, to

      to inspect those personal data and the information included in this provision

      information. A number of obligations arise from this

      controller, in accordance with Article 12 GDPR on transparency
      information and communication with regard to the data subject, as well as with regard to the

      facilitating the exercise of the right of access by the data subject.


 30. The Disputes Chamber draws attention to the fact that this right is available to the person concerned

      must be exercised vis-à-vis the controller. It
      the right of inspection can therefore be exercised exclusively by the data subject, in this case the complainant

      with regard to the controller, being the healthcare provider. Not a single one

      provision of the GDPR provides a basis for a data subject to have the right of access

      to be exercised directly with regard to the processor to which the

      controller applies. Since the defendant has the capacity

      of the processor, the complainant cannot reasonably address the defendant
      in order to gain access to the data concerning her.


 31. From the documents in the file, in particular those submitted during the

      mediation procedure at the First Line Service, it appears that the defendant has repeatedly

      attempted to provide the complainant with information by alerting her to the request
      available for inspection by any healthcare provider in their capacity

      controller had to be addressed as well as by the complainant in the

      within the framework of the mediation, to provide an overview of the practices that her

      process personal data. Notwithstanding that under the GDPR there is no

      obligation on the part of the defendant to comply with the request for access to the data

      personal data processed by the healthcare providers via the software application
      which were consulted by the complainant, the defendant attempted to contact the complainant

      make it clear that she had to contact the relevant healthcare providers separately

      address her request for inspection. During the hearing, the defendant repeated that

      only the healthcare provider as controller can ask the defendant

      to provide data to the data subject. Concretely in the present file, there is

      by the defendant after information was obtained in the context of the
      mediation procedure at the First Line Service, a search was made by the defendant

      to the complainant. This search served to indicate which one

      the controller should contact the complainant with her request for access

      in order to enable the complainant to obtain an answer

      her request for access.




charge a reasonable fee. When the data subject submits his request electronically, and not to another
request, the information will be provided in a common electronic form. Decision on the merits 63/2024 - 11/11



an objection petition must be submitted to the registry of the Market Court

in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit

IT system of Justice (Article 32ter of the Judicial Code).









(get). Hielke H IJMANS


Chairman of the Disputes Chamber























































 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     company number;

 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
     summoned;
 4° the subject matter and brief summary of the grounds of the claim;
 5° the judge before whom the claim is brought;
 6° the signature of the applicant or his lawyer.

19The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.