APD/GBA (Belgium) - 84-2022
APD/GBA - 84-2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(d) GDPR Article 6(1) GDPR Article 13 GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 10.08.2020 |
Decided: | 22.04.2022 |
Published: | 24.05.2022 |
Fine: | 5000 EUR |
Parties: | n/a |
National Case Number/Name: | 84-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autorité de protection des données, Decision quant au fond 84/2022 du 24 mai 2022 (in FR) |
Initial Contributor: | Maria Anagnostou |
The Belgian DPA fined a website provider €5,000 for listing personal data of lawyers on its website without a legal basis and without informing the data subjects. In addition, its privacy and cookie policy were not compliant with the GDPR.
English Summary
Facts
On 4 June 2020, the Belgian DPA received a complaint from the Order of Francophone Bars of Belgium (OBGF) and Mr. Forges concerning two websites (sos-services.be & sos.avocats.com) that list lawyers with their full name, address, a telephone number (if available) and a description of their activities. The operator of the websites is the controller. The lawyers are the data subjects.
The OBGF and Mr. Forges stated that the abovementioned personal data was processed without consent (or any other legal basis) and without informing them. They also stated the privacy policy and the use of cookies was not compliant with the GDPR.
The Controller raised 3 legal bases for the processing of the lawyers' personal data. First, it argued that the processing of the personal data is based on a contractual relationship with the lawyers listed. Second, it stated to have obtained consent from some lawyers. The controller did admit not to have obtained consent from all lawyers. Third, the controller argues that "some processing activities are undoubtedly based on legitimate interest," either of the data subject or the controller.
The controller stated it modified its privacy policy and added a cookie policy during the proceedings.
The controller stated that it no longer operates sos.avocats.com.
Holding
The DPA held that the controller did not have a legal basis for the processing of the personal data (Article 5(1) GDPR). The controller did not demonstrate a contractual relationship (Article 6(1)(b)) with the lawyers concerned. The DPA also found no evidence of consent given by the lawyers (Article 6(1)(a)). Regarding the controllers argument on the legitimate interest, the DPA noted that relying on the legitimate interest of a data subject for its own processing goes against all logic of the GDPR. As for its own legitimate interest, this would not override the fundamental rights and freedoms of the lawyers concerned. The DPA therefore held that the controller violated Article 5(1)(a) and Article 6.
The DPA also held that the revision of the controllers privacy policy was not sufficient. First of all, it didn’t indicate the purposes of the processing of the personal data of the persons concerned. Second, the DPA held that the retention period was not specific enough, as users could not foresee the actual retention period of their data. Hence, there was a breach of Article 13 and Article 14.
The DPA held that the controller violated Article 5(1)(a) (principle of fairness), as it did not inform the data subjects about the processing, the purposes pursued and it relates to data of which the persons concerned do not now how or where this was collected. The controller also violated the principle of purpose limitation (Article 5(1)(b)) by not indicating the purposes of processing. Moreover, the principle of accuracy (Article 5(1)(d)) was violated, as the personal data was outdated, or simply made-up.
The DPA fined the controller €5,000 and ordered to suspend all processing of the lawyers' personal data listed on its website.
The DPA ordered the controller, first of all, to transmit the list of recipients (including subcontractors) to whom the personal data concerned was communicated or confirm in writing that no such transfer took place and, secondly, to submit a revision of its privacy policy in accordance with the GDPR within 3 months. Lastly, to permanently remove all personal data and send a written confirmation to the DPA of the removal.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/25 Litigation Division Decision on the merits 84/2022 of 24 May 2022 File number: DOS--2020-02294 Subject: Complaint by the Ordre des Barreaux Francophones de Belgique (OBGF) and Mr Forges against referencing sites The Contentious Chamber of the Data Protection Authority, consisting of Mr Hielke Hijmans, chairman, and Messrs Yves Poullet and Frank De Smet; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the the protection of individuals with regard to the processing of personal data and the free movement of such data the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR". Protection), hereinafter "GDPR"; Having regard to the Act of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA) ; Having regard to the Law of 30 July 2018 on the protection of individuals with regard to the Having regard to the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data (hereinafter LVP); Having regard to the internal rules of procedure as approved by the House of Representatives on 20 Having regard to the rules of procedure as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Journal on 15 January 2019; Having regard to the documents in the file; Has taken the following decision concerning: The complainant: Ordre des Barreaux Francophones et Germanophones de Belgique (O.B.F.G.) and Mr. Forges, represented by Mr. Etienne Wéry, lawyer, whose office is located at 1050 Brussels, avenue de la Couronne 224, hereinafter 'the plaintiff'; The defendant: Y, hereinafter 'the defendant'. Decision on the merits 84 / 2022 - 2/25 I. Retroactive effects of the proceedings 1. On 4 June 2020 the Ordre des Barreaux Francophones et Germanophones de Belgique (OBFG) and Mr. Forges (hereinafter 'the plaintiff') filed a complaint with the Court. and Mr Forges (hereinafter "the complainant") lodged a complaint with the Data Protection Authority the Data Protection Authority against the defendant. 2. The subject of the complaint concerns the referral sites sos-services.be and sos-avocats.com, both operated by the defendant. The complainant states that lawyers who are members of the The complainant states that lawyers who are members of the complainant are listed on these sites without any legal basis and without them even being informed of this. The The complainant also states that the information about them is often erroneous, and that testimonies falsely falsely attributed to the referred lawyers. He also raised The complainant also raised the issue of the lack of compliance with the RGPD of both the privacy charter and the information on the use of cookies by both use of cookies by the two websites mentioned above. 3. Following several requests by local associations, the president of the complainant's association contacted the in September 9, 2019, the manager of the websites on this subject, without any response. 4. On 10 July 2020 the complaint was declared admissible by the Front Line Service on the basis of articles 58 and 60 of the LCA and the complaint is forwarded to the Contentious Chamber pursuant to Article 62, § 1 of the LCA. 5. On 10 August 2020 the Contentious Chamber decides, pursuant to Article 95, § 1, 1° and Article 98 of the LCA, that the case can be dealt with on the merits. 6. 6. On 10 August 2020, the parties concerned are informed by registered mail of the provisions as set out in Article 95, § 2 and Article 98 of the LCA. They shall also be They shall also be informed of the time limits for submitting their submissions pursuant to Article 99 of the LCA. The The deadline for the receipt of the defendant's response was set at 21 September 2020, the deadline for the 21 September 2020, for the Complainant's reply submissions on 12 October 2020 and for the The deadline for the defendant's reply submissions is 2 November 2020. 7. On 22 September 2020 the Contentious Chamber received an email from the Respondent announcing its its submissions, but without an attachment. On 25 September 2020 the Registry of the Contentious Registry of the Contentious Chamber responds to the Respondent drawing its attention to the absence of the pleadings in its email of 22 September 2020. This email remained unanswered by the defendant. On 15 October, the Registry of the Contentious Chamber sent an email back to the defendant defendant in order to find out about its conclusions. The defendant replies on 2 November 2020 and The defendant replies on 2 November 2020 and sends its submissions, indicating that if the complainant requests an extension of the deadline for the defendant would not object. 8. The Respondent further requests a hearing with the aim, as it states, of exposing its good faith and good faith and, above all, to show that it had no intention of infringing the rights of the persons concerned and that it had no data subjects, on the one hand, and on the other hand, to trade in the data collected. Decision on the merits 84 / 2022 - 3/25 9. On 3 November 2020, the complainant contacted the registry of the Contentious Division, indicating that that the removal of the Respondent's submissions from the proceedings would not be requested, provided The Complainant contacts the Registry of the Contentious Chamber, indicating that it would not request the withdrawal of the Respondent's pleadings, provided that it could benefit from an extension of the time limit for the reply. 10. On 4 January 2021, the Contentious Chamber received the reply submissions from the complainant. 11. The Contentious Chamber did not receive any reply submissions from the Respondent. 12. On 4 February 2022, the parties are informed that the hearing will take place on 28 March 2022. 13. On 28 March 2022, the parties are heard by the Contentious Chamber. 14. On 30 March 2022, the minutes of the hearing are submitted to the parties. 15. 15. The Contentious Chamber receives no comments from the parties on the minutes, which it 15. The Contentious Chamber did not receive any comments from the parties on the minutes, which it decided to include in its deliberations. 16. On 22 April 2022, the Contentious Chamber informed the Respondent of its intention to to impose an administrative fine and the amount of the fine, in order to give the Respondent the to give the Respondent the opportunity to defend itself before the sanction is actually imposed. imposed. 17. The Respondent does not follow up on the opportunity to defend itself or to share its remarks the intention of the Contentious Chamber to impose an administrative fine and the amount of the fine. the amount of the fine. II. On the competence of the DPA 18. It is important to stress, in the present case, that the disputed treatments took place, as the defendant at the hearing on 28 April 2022, since 2016. However, the DPA, and therefore the Contentious Chamber, have been the Contentious Chamber, were created by the LCA, which came into force on the same day as the the RGPD, i.e. on 25 May 2018. The Contentious Chamber therefore does not consider itself not consider itself competent to verify the lawfulness of the processing operations for the period prior to 25 May 2018, although it would like to point out that the law of 8 December 1992 on the protection of protection of privacy in relation to the processing of personal data already applied the same principles as those principles that will be discussed below. Only the processing of after 25 May 2018 will be analysed. 19. 19. The Contentious Chamber also points out that since the entry into force on 10 January 2022 of the transposing the European Electronic Communications Code and amending various provisions on electronic of various provisions on electronic communications of 21 December 2021 (hereinafter: "Law of 21 December 2021 (hereinafter: "Act of 21 December 2021"), the DPA is now competent, under Belgian law to control the provisions on the placement and use of cookies. The aforementioned law introduced, among other things, amendments to the Communications Act