APD/GBA (Belgium) - 117/2021
From GDPRhub
| APD/GBA (Belgium) - 117/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 9 GDPR Article 24(1) GDPR Article 32(1) GDPR Article 38(3) GDPR Article 57(1)(f) GDPR Article 58 WOG |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 22.10.2021 |
| Published: | 22.10.2021 |
| Fine: | None |
| Parties: | X, complainant Y, defendant |
| National Case Number/Name: | 117/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Decision 117/2021 (in NL) |
| Initial Contributor: | Matthias Smet |
The Belgian DPA dismissed a complaint because the complainant, when submitting the complaint, was pursuing a general public concern (i.e. the protection of the privacy rights of internet users filling unsecured contact forms on the website of a hospital) without having a personal stake in the case.
English Summary
Facts
The Complainant in this case was a patient in a Belgian hospital. He noticed that the hospital was using unsecured contact forms on its website. In particular, these forms were sent to the hospital in an unencrypted manner and via an unsecured connection. As a result, the personal data contained in these forms, including sensitive health data, were potentially exposed to the risk of being intercepted by third parties and being read in the network traffic.
The Complainant therefore filed a complaint with the Belgian DPA, considering that such processing was unlawful. On the basis of this complaint, the Inspection Service of the Belgian DPA conducted an investigation. During this investigation, the following (additional) breaches of data protection legislation were identified:
- the hospital implemented insufficient technical and organisational measures to guarantee the protection of (health) data (Article 32 GDPR);
- the DPO of the hospital was not directly reporting to the highest management level of within the organization (Article 38(3) GDPR).
Holding
Admissibility of the complaint
The Belgian Law on the Establishment of the Data Protection Authority states that anybody can file a complaint with the Belgian DPA, provided that all the prescribed conditions in Article 60 of this law are met. In a previous decision, the Belgian DPA had already decided that an additional condition must be fulfilled, namely that the complainant demonstrates that he has sufficient interest.
In a recent case, the Belgium Supreme Court ruled that anyone who believes that their rights under the GDPR have been violated can lodge a complaint with the supervisory authority, even if their personal data have not been processed, given that the refusal to provide personal data resulted in a disadvantage for the data subject (e.g. not being able to use a certain service).
According to the Litigation Chamber of the Belgian DPA, the difference in this case was that the Complainant could not prove to have suffered from any disadvantage by refusing to fill in the contact form on the hospital's website, since other alternatives existed to achieve the same objective, such has contacting the hospital via another mean or filling in paper forms.
Since the Complainant was pursuing a general public concern at the time the complaint was filed (i.e. the protection of the privacy rights of everyone who visits the defendant's website and possibly uses the contact forms on the website) without having a personal stake in the case, the DPA dismissed the complaint.
General consideration to contribute to a high level of data protection
Since the inspection report revealed a number of shortcomings, the Litigation Chamber still decided to stress in its decision that:
- health data fall within special categories of personal data in the sense of Article 9 GDPR. Therefore, all possible technical and organizational measures must be taken to protect health data, such as encrypted transmission;
- the DPO must be able to report directly to senior management. In addition, a DPO should be given the opportunity to express a dissenting opinion to senior management and those making the decisions when the controller makes decisions that are not in line with data protection law and/or the advice of the DPO. (Article 38(3) GDPR)
Comment
This decision is interesting when compared to this recent Belgian Supreme Court case where a data subject was able to file a complaint regarding a loyalty program that they did not join, despite their personal data having not been processed.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/12
Dispute room
Decision on the merits 117/2021 of 22 October 2021
File number : DOS-2020-05264
Subject: Complaint due to unsecured connection to hospital website
The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman and Messrs Dirk Van Der Kelen and Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and concerning the free movement of such data and until the withdrawal of the Directive
95/46/EC (General Data Protection Regulation), hereinafter GDPR;
In view of the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter WOG;
Having regard to the internal rules of procedure, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
has taken the following decision regarding:
The complainant: X, hereinafter referred to as “the complainant”; .
.
.
The Defendant: Y, (formerly called [..]), hereinafter “the Defendant”; Decision on the merits 117/2021 - 2/12
I. Facts procedure
1. On 14 November 2021, the complainant lodged a complaint with the
Data Protection Authority against Defendant.
2. The complainant is a patient at the hospital of the defendant. The subject of the complaint
concerns the fact that the website (…), which belongs to the defendant, was used
made of a contact form and a form for the ombudsman service of the
Hopital. The form that could be filled in by the website visitors, according to
complainant are sent to the hospital in an unencrypted manner. By using
making an unsecured connection, third parties could, according to the complainant,
taking the (health) data.
3. On November 16, 2021, the complaint will be declared admissible by the Frontline Service on
pursuant to Articles 58 and 60 WOG and the complaint pursuant to art. 62 § 1 WOG
submitted to the Disputes Chamber.
4. On December 16, 2020, in accordance with art. 96, §1 WOG the request of the
Dispute chamber to conduct an investigation transferred to the
Inspection service, together with the complaint and the inventory of the documents.
5. The inspection will be completed by the Inspectorate on January 26, 2020, it will be
report attached to the file and the file is reviewed by the Inspector General
forwarded to the Chairman of the Disputes Chamber (art.91, §1 and §2 WOG). The report
contains findings with regard to the subject matter of the complaints, decision that there is
of infringements of Article 32(1), (2) and (4) of the GDPR and of 24(1) of the GDPR
due to taking insufficient measures to ensure the safety of the
(special) personal data which are processed via the defendant's website
guarantee.
6. The report also contains findings that go further than the object of the complaint.
The Inspectorate determines, in broad terms, that there have been infringements of the articles
24 paragraph 1, 38 paragraphs 1 and 3 and to Article 39 of the GDPR due to the provision of advice
by the data protection officer to the general manager and not to the
board of directors while this body is the highest management within the organization of
defendant. According to the Inspectorate, the information and advice provided by the
Data Protection Officer has provided pursuant to Article 38(1) Decision on the substance 117/2021 - 3/12
and Article 39 of the GDPR on the security measures for the website (…)
insufficiently convincing.
7. On April 7, 2021, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG dat
the file is ready for treatment on the merits.
8. The Disputes Chamber decides on the file on the basis of the report of the Inspectorate
to be divided into two separate cases:
9. Pursuant to art. 92, 1° WOG, the Disputes Chamber will make a decision on the merits with
relating to the subject matter of the complaint.
10. Pursuant to art. 92, 3° WOG, the Disputes Chamber will make a decision on the merits according to
as a result of the findings made by the Inspectorate outside the
scope of the complaint.
11. On 7 April 2021, the concerned parties will be notified of the provisions as
mentioned in article 95, §2, as well as of those in art. 98 WOG. They are also, on the basis of
art. 99 WOG of the time limits for submitting their defences.
12. With regard to the findings as to the subject-matter of the complaint, the
deadline for receipt of the defendant's response
laid down on 19 May 2021, this for the complainant's reply on 9 June 2021
and, finally, those for the defendant's statement of reply on June 30, 2021.
13. On 9 April 2021, the complainant requests a copy of the file (art. 95, §2, 3° WOG), which
it was transferred on April 12, 2021.
14. On 11 May 2021, the complainant electronically accepts all communication regarding the case and
he indicates that he wishes to make use of the opportunity to be heard,
in accordance with article 98 WOG.
15. On April 20, 2021, the defendant electronically accepts all communications regarding the case
and expresses his wish to make use of the opportunity to be heard,
in accordance with article 98 WOG.
16. On 19 May 2021, the Disputes Chamber will receive the statement of defense from the
defendant with regard to the findings with regard to the subject matter of the Decision on the merits 117/2021 - 4/12
complaint. Defendant argues that the protection of personal data is becoming sufficient
guaranteed by the statutory duty of confidentiality as well as by the
labor regulations, provisions regarding confidentiality, minimum
data processing and purpose limitation. Therefore, the defendant argues that only data
may be processed to the extent necessary to achieve the intended purpose.
According to the work regulations, failure to comply with the aforementioned provisions
sanctions. According to the defendant, the complainant does not demonstrate that personal data, which
relating to him, have been processed via the (non-secure) website. To previous
reason there is no requisite interest in filing a complaint. The Inspectorate refers
in its report to another file vis-à-vis the defendant. Defendant points out that no
to have knowledge of the contents of the aforementioned file; that is why that file is in
irrelevant in the present case.
17. According to the defendant, Article 24 paragraph 1 GDPR has indeed been implemented. First of all
Defendant indicates that he has started a project with the ultimate goal of ISO27001
certification. According to the defendant, this certification can be regarded as the
global standard for information security. Second, according to the defendant,
from the various agreements it has concluded with processors of
personal data that a detailed analysis has been carried out with regard to the
personal data to be processed in the context of the various
processing agreements. The processor must also always complete a questionnaire
after which information security and data protection are evaluated and
appropriate measures are taken.
18. In addition, according to the defendant, the Inspectorate incorrectly establishes that the
confidentiality obligation by the hospital as a controller not
is complied with nor has it been demonstrated that violations of the
confidentiality obligations can be effectively sanctioned. According to
defendant has indeed been sanctioned and in case of violation of the
professional secrecy by a doctor, even dismissal is possible. According to the defendant, the
Inspectorate does not indicate that there is actually personal data, let alone
health data, is processed via the non-secure form on the website.
According to the defendant, it has also not been demonstrated that unauthorized persons have gained access
to the aforementioned data. Defendant indicates already on December 22, 2020
decided of its own accord to delete the contact forms.
Defendant is a not-for-profit association and at the time of filing it was called
of the complaint [..]. Subsequently, the institution expanded its activities with a
rehabilitation center. Since then it continues under the name Y. Decision on the merits 117/2021 - 5/12
19. The defendant is of the opinion that it also meets the requirements of Articles 24 and 32 GDPR
complies with the internal systems used
within the hospital. Since there is a link between the hospital's website
on the one hand and the internal systems on the other hand, according to the defendant, a choice has been made for a
“two-factor” authentication. According to the defendant, it is apparent from the foregoing, among other things, that
adequate security measures have been taken.
20. One of the findings of the Inspectorate outside the scope of the complaint is that the
data protection officer would not have issued advice and would not
have reported to the highest body within the institution on the
security measures within the hospital. Defendant believes at all times
have been aware of the importance of the data protection officer and
has therefore always called upon the data protection officer.
According to the defendant, the foregoing is apparent, among other things, from the fact that the officer always
is closely involved in cases where a processing agreement is concluded
between the defendant and its processors. The officer is also consulted and
involved in the construction of the new website in order to be sure that future
processing via the website complies with the legal provisions, according to the defendant.
In addition, the data protection officer is part of the
so-called Information Security Committee which has a preparatory and advisory role
acts towards the executive committee regarding privacy matters within the
Hopital. According to the defendant, the general manager is indeed the highest
managerial authority within the hospital
of a violation of Article 38 (3) GDPR.
21. In addition, the defendant submits that it was never the intention that the
contact forms on the website would serve to exchange health data
to switch. After all, the electronic patient file is strictly secured, according to
defendant. According to the defendant, there is also no processing of
personal data on a large scale through the contact forms, as determined by
the Inspection Service. Defendant points out that it should not be overlooked that
a form could be filled in on the website which ends up at the
ombudsman service and is therefore separate from the patient file. Defendant requests
take into account a number of mitigating circumstances, namely that there is no
personal data have been consulted by third parties in unauthorized ways and that, when
personal data end up in the hospital or on the hospital's servers, the
institution makes every effort to keep that data very secure. Decision on the merits 117/2021 - 6/12
22. Defendant indicates that it is aware that a security certificate for the
web form should have been implemented faster when pointed out.
However, as yet it has not been shown that damage has occurred in respect of
person concerned. There has been no unauthorized access to
personal data.
23. In addition, some key employees have been cut off due to the pandemic, causing
there has been a delay in integrating certain measures. The defendant is not
previously convicted of GDPR violations and started a project with as
ultimate goal of obtaining an ISO 27001 certification and asks to take into account
the aforesaid elements as mitigating circumstances.
24. On 14 June 2021, the Disputes Chamber will receive the statement of reply from the complainant, which
concerns the findings with regard to the subject matter of the complaint. The complainant is from
believes that the change in the structure and composition of the hospital does not matter
could have resulted in the website not complying with the principles of data processing.
After all, the GDPR already came into effect in 2018, as a result of which the defendant has already been inactive for two years
is a violation of the GDPR. In response to the defendant's argument that visitors do not
are obliged to use the contact form, the complainant submits that there is
website visitors cannot be expected to exercise caution when filling out
an online contact form that is facilitated by the defendant. Now there use
is made from a form, the connection of the website must be secured. Which
according to the complainant, obligations of confidentiality apply to the employees, it is also irrelevant,
now the personal data sent via the contact form is unsecured
and are exposed to the risk of being intercepted by third parties and
read in the network traffic. The complainant shares the view of the respondent that he does not
would have no interest in submitting a complaint. After all, the form is online
without this being secured and can be filled in and sent by anyone. It's possible
according to the complainant, it is not the intention that he should track down those involved who
have completed the form and then ask them to submit a complaint to the
GBA.
25. On 26 July 2021, the parties will be notified that the hearing will be
take place on October 4, 2021.
26. On October 4, 2021, the defendant will be heard by the Disputes Chamber. Although
duly summoned and confirmation that they would be present, the complainant did not appear. Decision on the merits 117/2021 - 7/12
27. On October 11, 2021, the minutes of the hearing will be sent to the parties
submitted.
28. On October 18, 2021, the Disputes Chamber will receive the following from the defendant:
comments with regard to the official report: the defendant has at the hearing
indicated that the new website is currently online and indicated that the
data protection officer reports to the audit committee composed of
a representation of the Board of Directors.
II. Admissibility of complaint
29. The Disputes Chamber first examines the question of whether the complaint is admissible. Defendant
argues that the complainant has no interest in complaining about the website and the
contact form of the defendant because there is no processing of his
personal data by the defendant. For this reason, according to the defendant, the complaint
be declared inadmissible or unfounded.
30. Article 58 WOG provides: “Anyone may submit a complaint in writing, dated and signed”
or submit a request to the Data Protection Authority”. In accordance with article 60,
Paragraph 2 WOG, a complaint is admissible if it: -is drawn up in one of the national languages;
-contains a statement of the facts, as well as the necessary indications for the identification of
the processing to which it relates; -it falls under the jurisdiction of the
Data Protection Authority”.
31. The Disputes Chamber has considered as follows in a previous decision regarding this
matter :
“While the GDPR approaches the 'complaint' from the point of view of the data subject, the
impose obligations on supervisory authorities when a person makes a complaint
submits (see Articles 57, 1., f) and 77 of the GDPR), the GDPR does not prevent the national
right to give persons other than the data subjects the opportunity to lodge a complaint
should be submitted to the national supervisory authority. The possibility of such
pending furthermore corresponds to the assignments imposed by the GDPR
the control authorities are assigned
each control authority for: the monitoring and enforcement of the application of the
GDPR (Article 57, 1., a) GDPR), and the performance of all other tasks related to Decision on the merits 117/2021 - 8/12
with the protection of personal data (Article 57, 1., v) GDPR).” The condition is
that the complainant appears to have sufficient interest.
32. The complainant indicated in the complaint form that he searched the website for the
data from his treating physician and then noted that an unsecured
connection was used for both the website and the contact forms. However, there is not
it appears that the complainant's data has been processed.
33. Superfluously, the Disputes Chamber refers in this regard to a recent decision by the Court of
Supreme Court judgment. In that judgment, the Court of Appeal ruled that any person involved who
believes there has been an infringement of its rights under the GDPR make a complaint
can file with the supervisory authority. However, data subjects whose
personal data have not been processed in certain cases file a complaint. The
however, this is subject to the condition that this data subject receives a certain advantage or a certain
has not been able to obtain service because due to the existence of the alleged
infringing practice, has refused to consent to the processing. In this case 2
cannot be argued, according to the Dispute Chamber, that there was non-use
of a service, now that there were also other options such as telephone
contact or filling in the forms on the spot.
34. The complainant did not appear at the hearing, as a result of which the Disputes Chamber did not
explanation from the complainant. Based on the description of the
complaint by the complainant and the documents submitted, the Disputes Chamber must determine that
when submitting the complaint, the complainant pursued a general public interest existing
from the protection of the privacy rights of anyone who uses the website of the defendant
visits and possibly uses the contact forms on the website. the complainant
has not shown that it has any personal interest. The fact that he
was a patient of the relevant hospital in the given circumstances, in which not
it appears that his personal data has been processed via the contact form and neither
that he intended to use that contact form, insufficient to do this
importance to determine.
1
2Decision 80/2020 dated 17 December 2020 of the Disputes Chamber. See also decision 30/2020 of the Disputes Chamber.
Judgment Court of Cassation c.20.0323.N/1 dated 7 October 2021 Decision on the merits 117/2021 - 9/12
35. After examination of the complaint in the substantive proceedings, it has thus become apparent that the complaint was not
meets the conditions for admissibility. The Disputes Chamber therefore concludes
that the complaint is inadmissible and was for lack of personal interest. Therefore
the Disputes Chamber will process the complaint and the subsequent findings of the
inspection service within and outside the scope of the complaint are not prevented from
imposing administrative sanctions. The Disputes Chamber therefore decides to transfer
3
go to a technical shutdown.
II. General considerations
Technical and organizational measures
36. This does not alter the fact that the Inspection Report reveals a number of shortcomings
in the way in which the defendant processes data. On the basis of the
findings in the Inspectorate Report, the Disputes Chamber wishes a number of general
to devote considerations to the matter of taking sufficient
security measures to ensure the safe processing of personal data
guarantee. With this, the Disputes Chamber implements the general assignment of
the DPA to contribute to a high level of data protection.
37. Article 24(1) of the GDPR provides: “Taking into account the nature, scope, context and
the purpose of the processing, as well as with the varying degrees of probability and severity
risks to the rights and freedoms of natural persons, the processing
responsible take appropriate technical and organizational measures to
guarantee and be able to demonstrate that the processing is in accordance with this
regulation is being implemented. Those measures are evaluated and if necessary
updated.”
Article 32(1) of the GDPR provides ”Taking into account the state of the art, the
implementation costs, as well as the nature, scope, context and
processing purposes and the likelihood and severity of varying risks to the
rights and freedoms of individuals, affect the controller and the
processor takes appropriate technical and organizational measures to
ensure an appropriate level of security, which, where appropriate, includes the following
include: a) the pseudonymization and encryption of personal data; b) it
ability to maintain confidentiality, integrity, availability and
3
Dismissal Policy Disputes Chamber of 18 June 2021 under 3.1.A.5 Decision on the merits 117/2021 - 10/12
ensure resilience of processing systems and services; c) the ability to
in the event of a physical or technical incident, the availability of and access to the
restore personal data in a timely manner; d) a procedure for the regular
testing, assessing and evaluating the effectiveness of the technical and
organizational measures to secure the processing.
2. In assessing the appropriate level of security, particular account shall be taken of
account of the processing risks, in particular as a result of the destruction, loss,
modification or unauthorized disclosure of or access to
data transmitted, stored or otherwise processed, either accidentally or
unlawful.”
3. Joining an approved code of conduct as referred to in Article 40 or a
approved certification mechanism as referred to in Article 42 can be used as
element to demonstrate that the requirements referred to in paragraph 1 of this Article are met
complied with.
4. The controller and the processor take measures to ensure that
ensure that any natural person acting under the authority of the
controller or of the processor and has access to
personal data, these only on behalf of the controller
processed, unless he is required to do so under Union or Member State law.”
35. According to Article 9 of the GDPR, health data belongs to special
personal data. Recital 51 of the GDPR defines that data as: ”
Personal data that are, by their nature, particularly sensitive with regard to the
fundamental rights and fundamental freedoms deserve specific protection since
the context of their processing may pose significant risks to the
fundamental rights and fundamental freedoms.” Therefore, the processing of
health data should be accompanied by the greatest care and should make every possible
technical and organizational measures must be taken to protect this data
to protect. The main task of a hospital is to provide medical care. It
It is therefore not implausible that patients used these
contact forms for information about their health situation with the hospital
to share. In addition, the form for the ombudsman service often serves to:
express dissatisfaction and complaints, especially about treatment in the
hospital and which are indirectly related to that medical treatment, resulting in
often provide health information. Decision on the merits 117/2021 - 11/12
36. As can be seen from the above articles, the controller is obliged to
to take the necessary technical and organizational measures in order to guarantee
that data processing is carried out in accordance with the GDPR.
Hospitals whose main task is to provide medical care, process on a regular basis
basic and large amounts of health data. They should therefore be extra vigilant
and to ensure that this data is processed in accordance with
the AVG. The Disputes Chamber points out that data relating to health
(and the transfer thereof) must be sufficiently secured and that the data is therefore
and, among other things, must be sent from the computer with sufficiently strong encryption
from the user to the server that serves a website with a form. This is possible
done by using a security certificate.
37. In addition to the above, recital 83 of the GDPR provides: “In order to
ensure security and prevent the processing from infringing these
regulation, the controller or the processor must comply with the processing
assess inherent risks and take measures, such as encryption, to
mitigate risks. Those measures should provide an appropriate level of security, including
including confidentiality, taking into account the state of the
technique and the implementation costs compared to the risks and the nature of the
protect personal data. When assessing data security risks
attention should be paid to risks arising from
personal data processing, such as the destruction, loss, alteration,
unauthorized disclosure or access to the transmitted,
stored or otherwise processed data, whether accidentally or unlawfully,
which may lead in particular to physical, material or immaterial damage.”
Reporting by Data Protection Officer
38. The Data Protection Officer Directive provides the following explanation
reporting to the most senior manager as referred to in Article 38 paragraph 3:
”If the controller or processor makes decisions that are not in the
line with the General Data Protection Regulation and the advice of the
data protection officer, the latter should be given the opportunity to
make dissenting views clear to senior management and those who
make the decisions. In that regard, Article 38(3) provides that the official
data protection "reports directly to the highest
supervisor of the controller or processor". Through such Decision on the merits 117/2021 - 12/12
direct reporting ensures that senior management (e.g. the board of directors)
is aware of the advice and recommendations that the official
data protection provided as part of its mission to
to inform and advise the controller or the processor. From the
the text quoted above therefore shows that the official for
data protection should be able to report directly to the highest
manager. The Disputes Chamber does not rule out the possibility that this may be the general manager
inside a hospital
39. The Disputes Chamber recalls that the accountability obligation laid down in
Article 5.2 GDPR entails that the controller can demonstrate
that he complies with the obligations as described in the GDPR.
IV. Publication of the decision
40. Given the importance of transparency in the decision-making of the
Litigation Chamber, this decision is published on the website of the
Data Protection Authority. However, it is not necessary for the
identifiers of the parties are disclosed directly.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- To dismiss the present complaint pursuant to Article 100 § 1, 1° WOG.
Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a
period of thirty days, from the notification, to the Marktenhof, with the
Data Protection Authority as Defendant.
(get). Hielke Hijmans
Chairman of the Disputes Chamber
4
Guidelines for the Data Protection Officer of the Working Group 29, WP 243 rev.01, p. 18
