APD/GBA (Belgium) - 161/2022
From GDPRhub
| APD/GBA - 161/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 3(1) GDPR Article 3(2) GDPR Article 17 GDPR Article 77 GDPR |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | 29.08.2022 |
| Decided: | 08.11.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 161/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA dismisses a complaint because the GDPR is not applicable when a controller, not established in the EEA, does not offer its services in euro and does not deliver its services in the EEA. The DPA holds that this controller only offers its services incidentally to data subjects in the EEA.
English Summary
Facts
The data subject received unwanted direct marketing from a controller on two separate occasions. However, the data subject claims it was never in contact with the controller. After contacting the controller to delete its personal data in accordance with Article 17, the controller failed to respond within one month.
Holding
The DPA first assesses whether the GDPR is applicable in this case. The controller has no establishment in the EEA, the DPA holds that Article 3(1) GDPR is thus not applicable. As such, the DPA tests the requirements under Article 3(2) GDPR for a controller to fall under the GDPR: - the offering of goods or services to data subjects in the Union; or - the monitoring of their behaviour as far as their behaviour takes place within the Union.
The DPA holds that it is unclear whether the data subject is located within the EEA. And even if the data subject is located within the EEA, the DPA holds that the processing activity does not relate to 'offering of services' or 'monitoring of behaviour'. In order to relate to these requirements, several factors must be taken into accounts in concreto, such as, but not limited to: - the possibility to pay in euro - the language of the website/service being used in the EEA
The DPA refers to the EDPB guidelines 03/2018 on the territorial scope of the GDPR. These guidelines state controllers which offer goods and services incidentally or unintentionally to persons in the EEA do not automatically fall under the GDPR.
The DPA decides that the controller does not fall under the GDPR based on the following: - the controller aims to create an English platform about Jewish women - workshops and books are being sold for this purpose in Israel - the workshops and books are only available in English, can only be bought in dollars and shekels, and the delivery is only possible in the USA, Canada and Israel.
The DPA also states that no other legislation regarding protection of personal data is applicable and as such, it is not competent in this case. It refers to the USA authorities to apply the GDPR in this case.
The DPA holds that the GDPR is not applicable and as such, the DPA is not competent handle the complaint.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6
Dispute room
Decision 161/2022 of 8 November 2022
File number : DOS-2022-03527
Subject : Complaint for failure to comply with a request for
data erasure
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
chairman, sitting alone;
Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General
Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;
Having regard to the internal rules of procedure, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
has taken the following decision regarding:
.
The complainant: Mr X, hereinafter referred to as “the complainant”; .
.
The Defendant: Y, hereinafter referred to as “the Defendant”. Decision 161/2022 - 2/6
I. Facts procedure
1. On 29 August 2022, the complainant lodged a complaint with the Data Protection Authority against the
defendant.
The complaint concerns the unsolicited sending of newsletters by the defendant. The complainant states that
he received unwanted emails from the defendant on July 19, 2022 and August 29, 2022,
despite the fact that he never had contact with the defendant. On 20 July 2022, the complainant heeft
his request for the right to erasure exercised in accordance with Article 17 GDPR at
regard to the defendant. However, he was not allowed to receive an answer to this within the legal framework
provided period of 1 month.
2. On October 11, 2022, the complaint will be declared admissible by the Frontline Service on the basis of the
Articles 58 and 60 of the WOG and the complaint pursuant to Article 62, §1 of the WOG is forwarded to the
Dispute room.
II. Justification
3. Based on the elements in the file known to the Disputes Chamber and on the basis of the
powers assigned to it by the legislator on the basis of Article 95, §1 WOG, the
Disputes room about the further follow-up of the file; in this case, the Disputes Chamber proceeds to:
the dismissal of the complaint in accordance with Article 95, §1, 3° WOG, based on the following
motivation.
4. In the event of a dismissal, the Disputes Chamber must gradually investigate and motivate: 1
- whether there is insufficient prospect of a conviction, after which a technical dismissal follows;
- whether a successful conviction would be technically feasible but on grounds, in general
interest, a (further) prosecution is undesirable, followed by a policy dismissal.
In the event that more than one soil is disposed of, the discarded soils (or technical
2
and policy dismissal) should be treated in order of importance.
5. Based on the information currently available to the Disputes Chamber, it considers it
impossible to follow up on the complaint for the reasons that will be explained below
explained. Consequently, it decides to proceed with a technical dismissal.
6. So that the Disputes Chamber - to which the complainant relied on the basis of Article 77 of the GDPR -
would be competent to handle his complaint, it is in the first place necessary that the GDPR
1
cf. judgment of the Brussels Court of Appeal (Marktenhof), 2 September 2020, no. 2020/5460, 18.
2Ibid. Decision 161/2022 - 3/6
applies to the facts at issue or whether other legislation relating to
data protection that may form the basis of the jurisdiction of the Disputes Chamber, of
applies.
7. The AVG only applies if the data processing is within the scope of the AVG
fall.
8. With regard to the territorial scope of the GDPR, Article 3 of the GDPR assumes
of two different cases. In the first case (Article 3.1 of the GDPR), the
data processing carried out in the context of the activities of an establishment of a
controller in the territory of the European Economic Area. This first
3
hypothesis therefore presupposes the existence of an establishment on the territory of European
Economic Area. The complaint in the present case is against a legal person who is
United States of which there is no establishment in the territory of the European
Economic Area exists. Article 3.1. of the GDPR therefore does not apply.
9. The second case provided for in article 3.2GDPR specifies that the GDPR applies to the processing
of personal data that meet the following three cumulative conditions:
- the processing was carried out by a controller who is not established in the
European Economic Area;
- the processing concerns data subjects who are located on the territory of the European
Economic Area; and
- these processing activities are related to:
a) offering goods or services to these data subjects (Article 3.2.a) GDPR) or
b) monitoring their behavior, insofar as this behavior in the European Economic Area
takes place (Article 3.2.b) GDPR).
10. On the basis of the documents in the file, the Disputes Chamber is of the opinion that in this case this
cumulative conditions are met. With regard to the first condition, the Disputes Chamber
established that the defendant is indeed not established in the European Economic Area. For what
Concerning the second condition, the Disputes Chamber notes that it is not clear from the complaint whether the
the complainant was located in the territory of the European Economic Area. Assuming
that the complainant was indeed located in the territory of the European Economic Area in the
at the time of the alleged facts - which is therefore not clear from the complaint - has not been fulfilled
to the third condition. The processing activity in question is not related to "offering
of goods and services" , nor with "monitoring of data subjects' behaviour".
3The concept of establishment is explained in recital 22: Establishment presupposes the effective and effective exercise of
activities through sustainable relationships. The legal form of such relationships, whether a branch or a
subsidiary with legal personality, is not decisive in this regard. Decision 161/2022 - 4/6
11. The offering of goods and services should be understood as an offer of goods and
services specifically aimed at data subjects in the European Economic Area
(for example, on a website located outside the borders of the European Economic Area, which
offer goods and services in one of the languages of the European Economic Area, with
possibility to pay in euros, etc.) . These elements must be assessed in concrete terms
to determine whether goods and services are being offered. 5 The
Litigation Chamber recalls that Recital 23 confirms that the accessibility of the website
of the controller, processor or an intermediary in the European Economic Area
Space, the mention on the website of his e-mail or geographical address, or of his telephone number
without an international code, does not in itself constitute sufficient evidence that the
controller or processor intends to offer goods or services
to a data subject in the European Economic Area. In this regard, the Disputes Chamber refers
to the Guidelines of the European Data Protection Board (EDPB) stating that
when goods or services are inadvertently or incidentally supplied to a person on the
territory of the European Economic Area, the related processing of
personal data does not fall under the territorial scope of the GDPR. 6
12. In this case, the purpose of the controller is to create an (English) platform
where insights and experiences can be shared about the challenges and triumphs of
Jewish women. In this context, writing workshops as well as a book with testimonials
of Jewish women in Israel for sale. The workshops and the book are only available in
in English and are also only offered for sale against payment in dollars and shekels. The book can
also only be delivered within the United States of America and Canada on the one hand and Israel
on the other hand. The Disputes Chamber therefore concludes that there is no question of an offer of
goodsandservicesspecificallyfocusedonthepersonsintheEuropeanEconomicSpace
in accordance with Article 3.2.a) GDPR.
13. By "monitoring the behavior of the data subjects", it is understood, the
trackingactivitiesofthebehaviourontheinternetbutnotjustthat. More generally it's possible
include activities to monitor the behavior of data subjects, such as behavioral advertising,
geolocation for direct marketing purposes, the use of cookies or surveillance cameras. There is
also the condition that this behavior must take place within the European Economic Area. From the
4see Article 29 Data Working Party, EU General Data Protection Regulation: General Information Document, p.2, available at
https://www.appaforum.org/wp-content/uploads/2019/10/appa-gdpr-general-information-document.pdf.
5D. SVANTESSON “Article 3. Territorial scope”, in C. KUNER. the EU General Data Protection Regulation, A Commentary, Oxford University
Press 2020, p. 90.
6
EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 18, available at
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf.
7 EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 19, available at
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf
8
EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 20, available at
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf Decision 161/2022 - 5/6
There is no indication in the complaint that there would be any monitoring of the behavior of the person concerned. The
The Disputes Chamber therefore concludes that there is no monitoring of the behavior of
data subjects in accordance with Article 3.2.a) GDPR.
14. In view of the above, the Disputes Chamber decides that the GDPR does not apply to the facts
presented in the complaint.
15. The Disputes Chamber also notes that with regard to the facts in the present complaint, no
some other legislation on the protection of personal data applies which means that
there are no elements giving rise to its competence. In that case, it belongs to the
competent US authorities to apply the GDPR in this case.
16. Since the GDPR does not apply in this case, nor does any other legislation containing provisions
contains on the protection of the processing of personal data, which could be the basis
constitute the competence of the Data Protection Authority, it is not possible that the
The Disputes Chamber will handle your complaint. Pursuant to art. 95, §1, 3° of the law of 3
December 2017 establishing the Data Protection Authority, the Disputes Chamber decides
consequently to dismiss the complaint.
III.Publication of the decision
17. In view of the importance of transparency with regard to the decision-making of the Disputes Chamber,
this decision will be published on the website of the Data Protection Authority. It is
however, it is not necessary for the identification of the parties to be directly used for this purpose
announced.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- pursuant to art. 95, §1, 3° WOG to dismiss the complaint.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification
appeal against this decision to the Marktenhof (Brussels Court of Appeal), with the
Data Protection Authority as Defendant.
Such an appeal may be lodged by means of an adversarial petition that the
9
1034terof the Judicial Code, the statements listed should contain .The application to
9The petition states on pain of nullity: Decision 161/2022 - 6/6
contradiction must be submitted to the registry of the Market Court in accordance with Article
1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter
of the Ger.W.).
(get). Hielke Hijmans
Chairman of the Disputes Chamber
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the name, first name, place of residence and, where applicable, the capacity of the person to be summoned;
4° the subject matter and the brief summary of the grounds of the claim;
5° the court before whom the claim is brought;
6° the signature of the applicant or of his lawyer.
10The application with its annex shall be sent, in as many copies as there are interested parties, by registered letter to the
clerk of the court or at the registry.
