APD/GBA (Belgium) - 84-2022

From GDPRhub
Revision as of 11:03, 22 June 2022 by 84.113.103.211 (talk)
APD/GBA - 84-2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(d) GDPR
Article 6(1) GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started: 10.08.2020
Decided: 22.04.2022
Published: 24.05.2022
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: 84-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autorité de protection des données, Decision quant au fond 84/2022 du 24 mai 2022 (in FR)
Initial Contributor: Maria Anagnostou

The Belgian DPA fined a website provider €5,000 for listing personal data of lawyers on its website without a legal basis and without informing the data subjects. In addition, its privacy and cookie policy were not compliant with the GDPR.

English Summary

Facts

On 4 June 2020, the Belgian DPA received a complaint from the Order of Francophone Bars of Belgium (OBGF) and Mr. Forges concerning two websites (sos-services.be & sos.avocats.com) that list lawyers with their full name, address, a telephone number (if available) and a description of their activities. The operator of the websites is the controller. The lawyers are the data subjects.

The OBGF and Mr. Forges stated that the abovementioned personal data was processed without consent (or any other legal basis) and without informing them. They also stated the privacy policy and the use of cookies was not compliant with the GDPR.

The Controller raised 3 legal bases for the processing of the lawyers' personal data. First, it argued that the processing of the personal data is based on a contractual relationship with the lawyers listed. Second, it stated to have obtained consent from some lawyers. The controller did admit not to have obtained consent from all lawyers. Third, the controller argues that "some processing activities are undoubtedly based on legitimate interest," either of the data subject or the controller.

The controller stated it modified its privacy policy and added a cookie policy during the proceedings.

The controller stated that it no longer operates sos.avocats.com.

Holding

The DPA held that the controller did not have a legal basis for the processing of the personal data (Article 5(1) GDPR). The controller did not demonstrate a contractual relationship (Article 6(1)(b)) with the lawyers concerned. The DPA also found no evidence of consent given by the lawyers (Article 6(1)(a)). Regarding the controllers argument on the legitimate interest, the DPA noted that relying on the legitimate interest of a data subject for its own processing goes against all logic of the GDPR. As for its own legitimate interest, this would not override the fundamental rights and freedoms of the lawyers concerned. The DPA therefore held that the controller violated Article 5(1)(a) and Article 6.

The DPA also held that the revision of the controllers privacy policy was not sufficient. First of all, it didn’t indicate the purposes of the processing of the personal data of the persons concerned. Second, the DPA held that the retention period was not specific enough, as users could not foresee the actual retention period of their data. Hence, there was a breach of Article 13 and Article 14.

The DPA held that the controller violated Article 5(1)(a) (principle of fairness), as it did not inform the data subjects about the processing, the purposes pursued and it relates to data of which the persons concerned do not now how or where this was collected. The controller also violated the principle of purpose limitation (Article 5(1)(b)) by not indicating the purposes of processing. Moreover, the principle of accuracy (Article 5(1)(d)) was violated, as the personal data was outdated, or simply made-up.

The DPA fined the controller €5,000 and ordered to suspend all processing of the lawyers' personal data listed on its website.

The DPA ordered the controller, first of all, to transmit the list of recipients (including subcontractors) to whom the personal data concerned was communicated or confirm in writing that no such transfer took place and, secondly, to submit a revision of its privacy policy in accordance with the GDPR within 3 months. Lastly, to permanently remove all personal data and send a written confirmation to the DPA of the removal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.