APD/GBA (Belgium) - 130/2021
APD/GBA (Belgium) - 130/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(a) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 29.11.2021 |
Published: | 29.12.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 130/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | autoriteprotectiondonnees (in NL) |
Initial Contributor: | Jonathan Crabbe |
The Belgian authority decides not to proceed to a decision on the merits because, despite the GDPR infringement, the controller has made a timely notification and has taken the necessary measures to avoid future infringements.
English Summary
Facts
On 20 September 2021, the data subject filed a complaint to the Belgian Data Protection Authority against the controller. The complaint concerns an unauthorised transfer of personal data within the framework of a GAS procedure. On 19 August 2021, the data subject reported the illegal dumping to the competent municipal services. The complaint resulted in an official report. This official report, including the non-anonymised annexes including the aforementioned report, was then submitted to the controller with a view to drawing up a GAS fine. The fine, including non-anonymised attachments, was passed on to the four suspects. Subsequently, the data subject indicates that he was approached by one of the four suspects on 16 September 2021 who confronted the data subject with the report of the illegal dumping made by her. In addition, the data subject reports that the GAS fine also displays the personal data of the 3 other suspects. The data subject submits to the authority that personal data were transferred by the controller without consent.
Holding
The Dispute Resolution Chamber finds that the controller has obtained personal data for a specific purpose, namely taking appropriate action in this case, a fine for illegal dumping problems. The controller cannot pass on the data obtained from the data subject to others without obtaining the prior consent of the data subject. The Dispute Resolution Chamber finds that there has been a breach of the principle of purpose limitation (Art. 5(1)(b) GDPR) as the controller transferred the personal data to the 4 defendants. This was not in accordance with the intended purpose for which the data were provided by the data subject, namely to take appropriate action against illegal dumping. It is an established fact that the recipients of the fine did not belong to the group of possible recipients in order to realise this purpose. Furthermore, the Court finds that the transfer was made without prior consent, so that there is no legitimate basis for the transfer and, consequently, Article 6(1)(a) GDPR has not been complied with. The Controller explicitly acknowledges having committed a serious error, stating that it is extremely important to handle confidential data with care. The Controller also timely reported this incident to the Authority, presenting concrete measures to avoid such incidents in the future. For these reasons, the Dispute Resolution Chamber has decided not to hear the substance of the case.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/5 Dispute room Decision 130/2021 of 29 November 2021 File number : DOS-2021-06086 Subject : Complaint regarding the transfer of personal data in the context of a GAS procedure The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, single chairperson; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: The complainant: Mrs. X “the complainant”; Defendant Y, hereinafter referred to as “the controller”. Decision 130/2021 - 2/5 I. Facts procedure 1. On 20 September 2021, the complainant lodged a complaint with the Data Protection Authority against the controller. The subject of the complaint concerns the transfer of personal data in the context of a GAS procedure. On 19 August 2021, the complainant reported the illegal dumping to the competent authorities municipal services. Based on this report from the complainant, an inspector or agent of the competent police zone draws up an official report. This official report, including the non- anonymised attachments, including the aforementioned notification, were then transferred to the controller with a view to drawing up the GAS fine. Afterwards made the controller the GAS fine by letter, also with appendices, including the non-anonymized report from the complainant in turn to each of the four suspects. The complainant indicates that he was approached by one of the 4 suspects on September 16, 2021 who confronted her with the report of the illegal dumping. in addition does the complainant state that the personal data of the 3 other persons is also included in the GAS fine? suspects are displayed. 2. On 1 October 2021, the complaint will be declared admissible by the Frontline Service on the basis of the Articles 58 and 60 WOG and the complaint on the basis of art. 62, §1 WOG transferred to the Dispute room. II. Competence of the Data Protection Authority 3. The Disputes Chamber states that the complaint relates to the processing of personal data 1 of both the complainant and the other data subjects within the meaning of Article 4, 2° of the GDPR to which the GDPR applies. 4. The GAS service of the controller acts in accordance with the Act on 2 the municipal administrative sanction as sanctioning GAS official in the present matter. As a controller, they draw up GAS sanctions based on the processes verbally as drawn up by the inspectors or agents of the competent police zone. In within this framework they also send a copy of the official report and all appendices to the suspects. 5. For this aspect, acting as a sanctioning GAS official and all associated processing, the Y acts as a controller and not as a processor of the 1Article 4,2)GDPR:““processing”:anoperation or a set of operations relating to personal data or a set of of personal data, whether or not performed via automated processes, such as collecting, recording, organizing, to structure, to store, to update or modify, to request, to consult, to use, to provide by transmission, to distribute or otherwise make available, align or combine, block, erase or destroy data” 2Law of 24 June 2013 on municipal administrative sanctions, Belgian Official Gazette 1 July 2013. Decision 130/2021 - 3/5 police zone. Therefore, the Data Protection Authority is authorized to take cognizance of the complaint. III. Justification 6. The problem presented by the complainant concerns the transfer by the controller, without having given his consent, of personal data relating to her to 4 suspects of the GAS fine regarding illegal dumping. 7. The Disputes Chamber establishes that the controller is responsible for the personal data, know has obtained the name and e-mail address of the complainant with a view to a specific purpose, namely to take appropriate measures, in this case a GAS fine to to solve the illegal dumping problem in the municipality. The controller may Do not pass on information obtained from the complainant as provided in her complaint to others without the prior consent of the complainant. 8. However, it is common ground that the controller will process the complainant's personal data as provided through her complaint to the 4 defendants. This was was in no way consistent with the intended purpose for which the data was provided by the complainant, namely taking appropriate measures to act against illegal dumping. It is established that the recipients of the GAS fine for illegal dumping of the complainant did not belonged to the group of possible recipients in order to achieve this purpose. Thus there is a violation of the purpose limitation principle (Article 5.1 b) GDPR). 9. In addition, this transfer to the recipients of the GAS fine in question took place without to have obtained the prior consent of the complainant for this purpose, so that no there was a lawful basis for such transfer and therefore Article 6.1 a) GDPR did not was respected. 10. In view of these findings, the Disputes Chamber is of the opinion that the infringement of Article 5.1 b) GDPR and Article 6.1 a) GDPR is proven. However, the controller expressly acknowledges a serious mistake in which she herself indicates that it is extremely important to handle confidential information with care. The controller has also timely reported this incident to the Data Protection Authority, whereby some concrete measures have already been presented to prevent these incidents in the future to avoid. In view of the aforementioned reasons, the Disputes Chamber decides not to proceed with a treatment on the merits of this case. 11. The present decision is a prima facie decision made by the Disputes Chamber in accordance with Article 95WOG on the basis of the complaint lodged by the complainant, in the context of Decision 130/2021 - 4/5 the “procedure prior to the decision on the merits” and not a decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. As a result, the Disputes Chamber will only can impose sanctions listed in Article 95 WOG on the controller and not 4 the sanctions from article 100 WOG, such as an administrative fine. 12. The purpose of this decision is to inform the controller of the fact that it has committed a violation of the provisions of the GDPR and that it is in the possibility to still comply with the aforementioned provisions. 13. However, if the controller does not agree with the content of this prima facie decision and considers that it may allow factual and/or legal arguments money that could lead to a different decision, can be sent to the email address litigationchamber@apd-gba.be submit a request for treatment on the merits of the case to the Disputes Chamber and this within the period of 14 days after notification of this decision. The enforcement of this decision will, if necessary, be during the aforementioned period suspended. 14. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their to submit defenses and to attach to the file any documents they deem useful. The If necessary, this decision will be definitively suspended. 15. For the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may be lead to the imposition of the measures stated in Article 100 WOG. 16. Finally, the Disputes Chamber points out the following: If one of the parties wishes to make use of the possibility to consult and copying the file (art. 95, §2, 3° WOG), this should contact the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment 3 Section 3, Subsection 2 WOG (Articles 94 to 97). 41° to dismiss a complaint; 2° order the suspension of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° to formulate warnings and reprimands; 6° order compliance with the data subject's requests to exercise his/her rights; 7° to order that the data subject is informed of the security problem; 8° to order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing is brought into conformity; 10° the rectification, restriction or deletion of data and notification thereof to the recipients of the data to command; 11° to order the withdrawal of the recognition of certification bodies; 12° to impose periodic penalty payments; 13° impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° to transfer the file to the public prosecutor's office of the Public Prosecutor in Brussels, who will inform it of the consequence that the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 130/2021 - 5/5 to capture. If a copy of the file is requested, the documents will be 5 delivered electronically or otherwise by regular mail. IV. Publication of the decision 17. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. It is not necessary, however, that the identification data of the parties be made public directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - Pursuant to Article 58.2.a) GDPR and Article 95, § 1, 4° WOG, to contact the controller warn that intended processing infringes Article 5.1, b) GDPR and Article 6.1 a) GDPR matters. Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant. (get). Hielke Hijmans Chairman of the Disputes Chamber 5Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the Disputes Chamber is NOT provided. Moreover, in principle all communication takes place electronically.