APD/GBA (Belgium) - 84-2022

From GDPRhub
Revision as of 16:07, 22 June 2022 by Jg (talk | contribs) (→‎English Machine Translation of the Decision)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 84-2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(d) GDPR
Article 6(1) GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started: 10.08.2020
Decided: 22.04.2022
Published: 24.05.2022
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: 84-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autorité de protection des données, Decision quant au fond 84/2022 du 24 mai 2022 (in FR)
Initial Contributor: Maria Anagnostou

The Belgian DPA fined a website provider €5,000 for listing personal data of lawyers on its website without a legal basis and without informing the data subjects. In addition, its privacy and cookie policy were not compliant with the GDPR.

English Summary

Facts

On 4 June 2020, the Belgian DPA received a complaint from the Order of Francophone Bars of Belgium (OBGF) and Mr. Forges concerning two websites (sos-services.be & sos.avocats.com) that list lawyers with their full name, address, a telephone number (if available) and a description of their activities. The operator of the websites is the controller. The lawyers are the data subjects.

The OBGF and Mr. Forges stated that the abovementioned personal data was processed without consent (or any other legal basis) and without informing them. They also stated the privacy policy and the use of cookies was not compliant with the GDPR.

The Controller raised 3 legal bases for the processing of the lawyers' personal data. First, it argued that the processing of the personal data is based on a contractual relationship with the lawyers listed. Second, it stated to have obtained consent from some lawyers. The controller did admit not to have obtained consent from all lawyers. Third, the controller argues that "some processing activities are undoubtedly based on legitimate interest," either of the data subject or the controller.

The controller stated it modified its privacy policy and added a cookie policy during the proceedings.

The controller stated that it no longer operates sos.avocats.com.

Holding

The DPA held that the controller did not have a legal basis for the processing of the personal data (Article 5(1) GDPR). The controller did not demonstrate a contractual relationship (Article 6(1)(b)) with the lawyers concerned. The DPA also found no evidence of consent given by the lawyers (Article 6(1)(a)). Regarding the controllers argument on the legitimate interest, the DPA noted that relying on the legitimate interest of a data subject for its own processing goes against all logic of the GDPR. As for its own legitimate interest, this would not override the fundamental rights and freedoms of the lawyers concerned. The DPA therefore held that the controller violated Article 5(1)(a) and Article 6.

The DPA also held that the revision of the controllers privacy policy was not sufficient. First of all, it didn’t indicate the purposes of the processing of the personal data of the persons concerned. Second, the DPA held that the retention period was not specific enough, as users could not foresee the actual retention period of their data. Hence, there was a breach of Article 13 and Article 14.

The DPA held that the controller violated Article 5(1)(a) (principle of fairness), as it did not inform the data subjects about the processing, the purposes pursued and it relates to data of which the persons concerned do not now how or where this was collected. The controller also violated the principle of purpose limitation (Article 5(1)(b)) by not indicating the purposes of processing. Moreover, the principle of accuracy (Article 5(1)(d)) was violated, as the personal data was outdated, or simply made-up.

The DPA fined the controller €5,000 and ordered to suspend all processing of the lawyers' personal data listed on its website.

The DPA ordered the controller, first of all, to transmit the list of recipients (including subcontractors) to whom the personal data concerned was communicated or confirm in writing that no such transfer took place and, secondly, to submit a revision of its privacy policy in accordance with the GDPR within 3 months. Lastly, to permanently remove all personal data and send a written confirmation to the DPA of the removal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/25
Litigation Division
Decision on the merits 84/2022 of 24 May 2022
File number: DOS--2020-02294
Subject: Complaint by the Ordre des Barreaux Francophones de Belgique (OBGF) and Mr Forges
against referencing sites
The Contentious Chamber of the Data Protection Authority, consisting of Mr Hielke
Hijmans, chairman, and Messrs Yves Poullet and Frank De Smet;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
the protection of individuals with regard to the processing of personal data and the free movement of such data
the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR".
Protection), hereinafter "GDPR";
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority (hereinafter
LCA) ;
Having regard to the Law of 30 July 2018 on the protection of individuals with regard to the
Having regard to the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data (hereinafter LVP);
Having regard to the internal rules of procedure as approved by the House of Representatives on 20
Having regard to the rules of procedure as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Journal on 15 January 2019;
Having regard to the documents in the file;
Has taken the following decision concerning:
The complainant: Ordre des Barreaux Francophones et Germanophones de Belgique (O.B.F.G.) and
Mr. Forges, represented by Mr. Etienne Wéry, lawyer, whose office is located at
1050 Brussels, avenue de la Couronne 224, hereinafter 'the plaintiff';
The defendant: Y, hereinafter 'the defendant'.
Decision on the merits 84 / 2022 - 2/25
I. Retroactive effects of the proceedings
1. On 4 June 2020 the Ordre des Barreaux Francophones et Germanophones de Belgique (OBFG) and Mr. Forges (hereinafter 'the plaintiff') filed a complaint with the Court.
and Mr Forges (hereinafter "the complainant") lodged a complaint with the Data Protection Authority
the Data Protection Authority against the defendant.
2. The subject of the complaint concerns the referral sites sos-services.be and sos-avocats.com,
both operated by the defendant. The complainant states that lawyers who are members of the
The complainant states that lawyers who are members of the complainant are listed on these sites without any legal basis and without them even being informed of this. The
The complainant also states that the information about them is often erroneous, and that testimonies falsely
falsely attributed to the referred lawyers. He also raised
The complainant also raised the issue of the lack of compliance with the RGPD of both the privacy charter and the information on the use of cookies by both
use of cookies by the two websites mentioned above.
3. Following several requests by local associations, the president of the complainant's association contacted the
in September 9, 2019, the manager of the websites on this subject, without any response.
4. On 10 July 2020 the complaint was declared admissible by the Front Line Service on the basis of
articles 58 and 60 of the LCA and the complaint is forwarded to the Contentious Chamber pursuant to
Article 62, § 1 of the LCA.
5. On 10 August 2020 the Contentious Chamber decides, pursuant to Article 95, § 1, 1° and Article
98 of the LCA, that the case can be dealt with on the merits.
6. 6. On 10 August 2020, the parties concerned are informed by registered mail of the provisions
as set out in Article 95, § 2 and Article 98 of the LCA. They shall also be
They shall also be informed of the time limits for submitting their submissions pursuant to Article 99 of the LCA. The
The deadline for the receipt of the defendant's response was set at 21 September 2020, the deadline for the
21 September 2020, for the Complainant's reply submissions on 12 October 2020 and for the
The deadline for the defendant's reply submissions is 2 November 2020.
7. On 22 September 2020 the Contentious Chamber received an email from the Respondent announcing its
its submissions, but without an attachment. On 25 September 2020 the Registry of the Contentious
Registry of the Contentious Chamber responds to the Respondent drawing its attention to the absence of the pleadings
in its email of 22 September 2020. This email remained unanswered by the
defendant. On 15 October, the Registry of the Contentious Chamber sent an email back to the defendant
defendant in order to find out about its conclusions. The defendant replies on 2 November 2020 and
The defendant replies on 2 November 2020 and sends its submissions, indicating that if the complainant requests an extension of the deadline for
the defendant would not object.
8. The Respondent further requests a hearing with the aim, as it states, of exposing its good faith and
good faith and, above all, to show that it had no intention of infringing the rights of the persons concerned and that it had no
data subjects, on the one hand, and on the other hand, to trade in the data collected.
Decision on the merits 84 / 2022 - 3/25
9. On 3 November 2020, the complainant contacted the registry of the Contentious Division, indicating that
that the removal of the Respondent's submissions from the proceedings would not be requested, provided
The Complainant contacts the Registry of the Contentious Chamber, indicating that it would not request the withdrawal of the Respondent's pleadings, provided that it could benefit from an extension of the time limit for the reply.
10. On 4 January 2021, the Contentious Chamber received the reply submissions from the
complainant.
11. The Contentious Chamber did not receive any reply submissions from the Respondent.
12. On 4 February 2022, the parties are informed that the hearing will take place on 28 March 2022.
13. On 28 March 2022, the parties are heard by the Contentious Chamber.
14. On 30 March 2022, the minutes of the hearing are submitted to the parties.
15. 15. The Contentious Chamber receives no comments from the parties on the minutes, which it
15. The Contentious Chamber did not receive any comments from the parties on the minutes, which it decided to include in its deliberations.
16. On 22 April 2022, the Contentious Chamber informed the Respondent of its intention to
to impose an administrative fine and the amount of the fine, in order to give the Respondent the
to give the Respondent the opportunity to defend itself before the sanction is actually imposed.
imposed.
17. The Respondent does not follow up on the opportunity to defend itself or to share its remarks
the intention of the Contentious Chamber to impose an administrative fine and the amount of the fine.
the amount of the fine.
II. On the competence of the DPA
18. It is important to stress, in the present case, that the disputed treatments took place, as
the defendant at the hearing on 28 April 2022, since 2016. However, the DPA, and therefore the Contentious Chamber, have been
the Contentious Chamber, were created by the LCA, which came into force on the same day as the
the RGPD, i.e. on 25 May 2018. The Contentious Chamber therefore does not consider itself
not consider itself competent to verify the lawfulness of the processing operations for the period prior to 25 May
2018, although it would like to point out that the law of 8 December 1992 on the protection of
protection of privacy in relation to the processing of personal data already applied the same principles as those
principles that will be discussed below. Only the processing of
after 25 May 2018 will be analysed.
19. 19. The Contentious Chamber also points out that since the entry into force on 10 January 2022 of the
transposing the European Electronic Communications Code and amending various provisions on electronic
of various provisions on electronic communications of 21 December 2021 (hereinafter: "Law of 21 December 2021
(hereinafter: "Act of 21 December 2021"), the DPA is now competent, under Belgian law
to control the provisions on the placement and use of cookies. The aforementioned law
introduced, among other things, amendments to the Communications Act