APD/GBA (Belgium) - 16/2023
From GDPRhub
| APD/GBA - 16/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(2) GDPR Article 6(1) GDPR Article 24(1) GDPR Article 29 GDPR Article 32 GDPR Act of 8 August 1983 regulating a National Register of Natural Persons |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 27.02.2023 |
| Decided: | |
| Published: | 28.02.2023 |
| Fine: | n/a |
| Parties: | Centre public d'action sociale |
| National Case Number/Name: | 16/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Décision 16/2023 (in FR) |
| Initial Contributor: | Matthias Smet |
The Belgian DPA issued a warning to a natural person, who had consulted the complainant's legal address in the national register of natural persons by abusing her access as social assistant. The complaint against the employer was dismissed since no infringement to GDPR or other data protection laws had been discovered on her part.
English Summary
Facts
Complainant noticed that her personal data was consulted on 4 September 2019 by an intermediate of the Crossroads Bank for Social Security (CBSS). Consequently, she exercised her right of access towards the BCSS, which resulted in discovering that an employee (defendant 1) of the public social service center (CPAS) had consulted her data.
Based on this information a complaint has been filed stating both defendants has breached article 5.1 GDPR and articles 5 and 13 of the Act of 8 August 1983 regulating a National Register of Natural Persons which exhaustively list the purposes for which the register may be consulted.
Since the complaint is directed against two defendants, the litigation chamber wants to determine who is the data controller within the framework of this processing activity. The DPA stated that CPAS remains the data controller for the consultations carried out by her employees. However, this qualification as 'data controller' is limited to the consultations that are carried out within the framework of the of CPAS's mission, i.e. pursuing the purposes set out in article 5 of the Act of 8 August 1983 regulating a National Register of Natural Persons. In case of consultations and searches outside the framework of her duties as a social agent and searches for private purpose/use , the CPAS employee (in this case Defendant 1), acts as controller.
Holding
Towards the employee of CPAS (Defendant 1):
The DPA states that defendant 1 has consulted that national register without any legal basis. In doing so, the she was guilty of a breach of Article 6 of the GDPR. This breach, combined with a breach of Article 5.1.a of the GDPR under which the processing of personal data must in particular be lawful prompted the DPA to warn defendant 1 for the future that the consultation of personal data from the National Register via the BCSS for private purposes personal data constitutes an unlawful processing of personal data.
Towards CPAS: The documents that was handed over prove that CPAS had taken appropriate and sufficient measures in order to prevent and detect abusive use of the national registers. The necessary technical logging procedure provides the organisation with information regadering who has consulted personal data in the national register and when (by using a time stamp). As a reactive measure CPAS will also conduct quarterly check the consultations carried out by Defendant 1. Taking this into account, the litigation chamber has dismissed the complaint against CPAS, since no infringement to GDPR or other data protection laws had been discovered on her part.
Comment
- The wording of the complaint and the documents that were handed over imply that the complainant is the ex-wife of defendant 1's father.
- Besides the administrative procedure before the litigation chamber, article 13 of the Act of 8 August 1983 regulating a National Register of Natural Persons foresees legal sanctions as fines and imprisonment under Belgian criminal law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9
Litigation Chamber
Decision 16/2023 of February 27, 2023
File number: DOS-2021-06717
Subject: Consultation for private purposes of the National Register by an agent of the Center
provincial social action
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter
“ACL”;
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The plaintiff: Ms. X, hereinafter “the plaintiff”; .
.
.
The defendant: Mrs. Y1, hereinafter: “the defendant 1”;
Center public d’action sociale de […] Y2, hereinafter: “the defendant 2”. Decision 16//2023 – 2/9
I. Facts and procedure
1. The subject of the complaint concerns the consultation on September 4, 2019 of personal data
staff of the National Register by the defendant 1.
2. The wording of the complaint and the documents in the file indicate that the complainant is the ex-partner
Defendant 1's father. Defendant 1 works as a social worker with
of Defendant 2. Plaintiff submits that Defendant 1 is guilty of
breaches of Article 5.1.a of the GDPR, in combination with Articles 5 and 13 of the law of
August 8, 1983 organizing a National Register of natural persons to have consulted the
National Registry for improper purposes, through his functions with the defendant 2. In
consulting the history of consultations of her data in the National Register, the complainant
discovered that a consultation of his data had been carried out on September 4, 2019 by
through the Crossroads Bank for Social Security (BCSS). The complainant exercised
his right of access to the BCSS, which revealed to him that the consultation had been carried out by
2. After having exercised its right of access to the latter, the
Defendant 2 then told him that this consultation was done by Defendant 1 to
private purposes.
3. On 11 October 2021, the complainant lodged a complaint with the Authority for the Protection of
given against the defendant 1.
4. On October 19, 2021, the complaint was declared admissible by the Front Line Service on the
1
basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber
st 2
pursuant to Article 62, § 1 of the LCA.
5. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order
inside the DPA, a copy of the file may be requested by the parties. If one of
parties wishes to make use of the possibility of consulting the file, the latter is required to
contact the secretariat of the Litigation Chamber, preferably via the address
litigationchamber@apd-gba.be.
II. Motivation
II.1. Identification of data controllers and their processing
6. As already recalled by the Litigation Chamber in its decision 129/2021, 3
in accordance with Article 4 §1 LCA, the DPA is responsible for monitoring the principles of
1 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been
declared admissible.
2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following
of this complaint, the file was forwarded to him.
3
Litigation Chamber, decision 129/2021 of November 26, 2021 (available on
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-129-2021.pdf) Decision 16//2023 – 3/9
data protection contained in the GDPR and other laws containing provisions
relating to the protection of personal data including the Law of 8 August 1983
organizing a National Register of natural persons and the Law of January 15, 1990
organization of the Crossroads Bank for Social Security (BCSS) . 4
7. In accordance with article 4 §7 LCA, it is necessary to consider as responsible for the
processing: “the natural or legal person, public authority, service or other
body which, alone or jointly with others, determines the aims and means of
treatment ".
8. In this case, the Litigation Division finds that Defendant 2 determines the
purposes and means of processing. Indeed, for the CPAS, consultations of the Register
national via the BCSS are carried out only within the framework of its application missions
of social security. It is also defendant 2 who makes available to its
agents the means to carry out such processing (via its computer systems). THE
CPAS must therefore be considered as a data controller for consultations
BCSS personal data.
9. It should also be noted that, as stated by the Court of Justice of the European Union
(CJEU) in its Wirtschaftakademie judgment of June 5, 2018, “the notion of
“controller” refers to the organization which, “alone or jointly with others”
determines the purposes and means of the processing of personal data, this
concept does not necessarily refer to a single organization and may relate to several
actors […]”. Although defendant 2 is the controller of the
consultation of the BCSS by its employees, this does not therefore mean, in this case,
that she alone corresponds to this quality. It is necessary to distinguish between consultations
of the BCSS within the framework of the purposes of the missions of the defendant 2 of the consultations
abuses carried out for private purposes by the defendant 1. Although having used the means
made available by Defendant 2, and to the extent that Defendant 1 dealt with the
personal data of the BCSS for its own purposes, that is to say outside
within the scope of its duties as agent for Respondent 2, Respondent 1 must be
considered as a data controller for BCSS consultations,
specifically for those made for private purposes .7
10. The Litigation Division therefore distinguishes the processing carried out within the framework of
consultations of the National Register as provided for by the purposes of the defendant 2,
4
Draft law creating the Data Protection Authority, explanatory memorandum, Doc., Ch., 2016-2017, n°2648/001,
5. 13.
6Art. 4 §4 1° of the organic law of 15 January 1990 on the Crossroads Bank for Social Security, hereinafter BCSS law.
CJEU (gde ch.), judgment of June 5, 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v.
Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16, § 29.
7 European Data Protection Board (EDPB), Guidelines 07/2020 concerning the concepts of responsible
of processing and processing in the GDPR, version 2.0, p. 33, § 88. Decision 16//2023 – 4/9
consultations for private purposes carried out by the defendant 1. Although the latter
either responsible for processing for abusive consultations, defendant 2 remains
data controller for consultations of the National Register in the context of
8 9
purposes determined by him (application of social security). In this context, the
defendant 2 remains subject to the principle of responsibility (art. 5.2 and 24 of the GDPR) and, in
as data controller and employer, in Articles 29 and 32 of the GDPR. For these
reasons, although not directly covered by the complaint filed with the DPA, the
Litigation Chamber will state additional findings in this regard.
II.2. As to the breaches of the GDPR alleged by the defendant 1
11. Access to the data contained in the National Register constitutes processing of
personal data within the meaning of Article 4.2 of the GDPR. Under this
qualification, this processing is subject to the various prescriptions and obligations of the GDPR and
in particular to the principles of legality, fairness and transparency provided for in Article 5.1.a of the
GDPR.
12. The principle of lawfulness indicates that any processing of personal data must
have one of the bases of lawfulness in article 6.1 of the GDPR.
13. It appears from the documents in the file, including the assertions of Respondent 2, that in
consulting on September 4, 2019 the data "legal address" of the complainant, the
defendant 1 did not proceed to a consultation in the context of the performance of a
task which falls within his competence as a CPAS agent.
14. By virtue of their function, and for the sole performance of the tasks relating to it, the agents
CPAS have access to certain data from the National Register via the BCSS . He 10
it is their responsibility to scrupulously respect the purposes of this access which they prefer.
15. By failing to respect the purpose of the access granted to it, Respondent 1
consulted the National Register without an adequate legal basis. Therefore, she proceeded to a
data processing in respect of which it will not be able to validly invoke
one of the bases of lawfulness required by Article 6 of the GDPR. In doing so, the defendant
found guilty of a breach of Article 6 of the GDPR. This failure is combined with a
breach of Article 5.1.a of the GDPR according to which the processing of data to
personal character must in particular be lawful. This requirement, while not limited to
compliance with Article 6, undoubtedly encompasses it.
8
9Art. 2.2.f) of the BCSS Law.
European Data Protection Board (EDPB), Guidelines 07/2020 concerning the concepts of responsible
of processing and processing in the GDPR, version 2.0, p. 33, § 88, footnote 34.
10Art. 3 in combination with art. 2.2.f of the BCSS Law. Decision 16//2023 – 5/9
16. The Litigation Chamber considers that, on the basis of the facts mentioned above, it would appear that
Defendant 1 may have committed a violation of Articles 5.1.a and 6.1 of the GDPR, which
justifies, in this case, taking a decision in accordance with Article 95, §
1, 4° of the LCA, more specifically to warn defendant 1 for the future that the
consultation of personal data from the National Register via the BCSS for the purposes
personal data constitutes an unlawful processing of personal data, and therefore a
violation of articles 5.1.a and 6.1 of the GDPR.
17. This decision is a prima facie decision taken by the Litigation Chamber
pursuant to Article 95 of the LCA on the basis of the complaint lodged by the complainant/the
complainant, in the context of the "procedure prior to the substantive decision" and not a
decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA.
18. The purpose of this decision is to inform defendant 1, allegedly responsible for the
processing, because it may have violated the provisions of the GDPR,
in order to enable it to still comply with the aforementioned provisions.
19. If, however, Respondent 1 disagrees with the content of this decision
prima facie and believes that it can make factual and/or legal arguments that
could lead to another decision, it may send the Litigation Chamber a
request for treatment on the merits of the case via the e-mail address litigationchamber@apd-
gba.be, within 30 days of notification of this decision. The case
applicable, the execution of this decision is suspended for the period
aforementioned.
20. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°
juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their
conclusions and attach to the file all the documents they deem useful. If applicable, the
this decision is permanently suspended.
21. With a view to transparency, the Litigation Division finally emphasizes that a
dealing with the case on the merits may lead to the imposition of the measures mentioned in
section 100 of the ACL .2
1Section 3, Subsection 2 of the ACL (articles 94 to 97 inclusive).
12Art. 100. § 1. The litigation chamber has the power to
1° dismiss the complaint without follow-up;
2° order the dismissal;
3° pronouncing the suspension of the pronouncement;
4° to propose a transaction;
5° issue warnings and reprimands;
6° order to comply with requests from the data subject to exercise his or her rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the
data ; Decision 16//2023 – 6/9
II.3. As to the alleged breach of the GDPR by the defendant 2
22. As data controller, defendant 2 is required to implement
the data protection principles and must be able to demonstrate that these
13
are respected, in accordance with the principle of accountability. Moreover, it must always
in its capacity as data controller, implement all measures
14
necessary for this purpose.
23. On the basis of Article 5.1.f of the GDPR, personal data must be processed
so as to ensure appropriate security, "including protection against the processing
unauthorized or unlawful and against accidental loss, destruction or damage,
using appropriate technical or organizational measures”.
24. In the absence of appropriate measures to secure the personal data of the
data subjects, the effectiveness of the fundamental rights to privacy and protection
personal data cannot be guaranteed, especially given the crucial role played
by information and communication technologies in our society.
25. It should be noted that the security principle set out in Article 5.1.f is now established
in the GDPR at the same level as the fundamental principles of lawfulness, transparency,
loyalty.
26. The obligations of data controllers with regard to the security of processing are based
on articles 32 et seq. of the GDPR.
27. It appears from the documents in the file that defendant 2 is able to identify the agent
having consulted the personal data of the National Register of the complainant, thus
than the date of consultation. The defendant was not, however, capable of knowing the
purpose of the consultation as well as the data consulted without further consultation
of said data. According to defendant 2, access to the software allowing the
consultation of the National Register would be limited to the use of social workers and the
executive management. Following the event giving rise to the complaint, respondent 2 indicated
make arrangements vis-à-vis the agent concerned and put in place a control
quarterly of consultations of personal data carried out under its responsibility.
28. On the basis of the facts described in the complaint file as summarized above, and on the
powers attributed to it by the legislator under Article 95, § 1 of the
LCA, the Litigation Chamber decides on the follow-up to be given to the file; in this case, the
11° order the withdrawal of accreditation from certification bodies;
12° to issue periodic penalty payments;
13° to issue administrative fines;
14° order the suspension of cross-border data flows to another State or an international body;
15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
13Article 5.2 GDPR.
14Article 24 GDPR. Decision 16//2023 – 7/9
Litigation Chamber decides to proceed with the dismissal of the complaint,
in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below.
29. In terms of dismissal, the Litigation Chamber is required to justify its
15
step-by-step decision and:
- to pronounce a classification without technical continuation if the file does not contain or not
sufficient element likely to lead to a sanction or if it includes a
technical obstacle preventing him from rendering a decision;
- or pronounce a classification without further opportunity, if, despite the presence
elements likely to lead to a sanction, the continuation of the examination of the
file does not seem to him to be appropriate given the priorities of the Autorité de
data protection as specified and illustrated in the Privacy Policy
16
dismissal of the Litigation Chamber.
30. In the event of dismissal based on several reasons for dismissal, these
last (respectively, classification without technical continuation and classification without continuation
timeliness) should be addressed in order of importance .7
31. In this case, the Litigation Chamber decides to proceed with a classification without follow-up
the complaint for technical reasons for the breaches alleged to the defendant 2. The
decision of the Litigation Division is based more specifically on the fact that the complaint is not
not sufficiently supported by evidence of the existence of a violation of the GDPR or the laws
protection of personal data. Indeed, it appears from the documents in the file that few
information relating to the security measures put in place by the defendant 2
been communicated to the Litigation Chamber. On the basis of this information, the Chamber
Litigation is not in a position to determine whether defendant 2 breached its
obligations of data controller.
III. Publication of the decision
32. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the Protection Authority
15Cour des marchés (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18.
16
In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on
the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-
classification-without-continuation-of-the-litigation-chamber.pdf.
17Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the
dismissal policy of the Litigation Chamber.
18Cf. Reason A.1 of the dismissal policy of the Litigation Chamber. Decision 16//2023 – 8/9
Datas. However, it is not necessary for this purpose that the identification data
of the parties are communicated directly.
FOR THESE REASONS,
The Litigation Chamber of the Data Protection Authority decides, subject to
the introduction of a request by one of the defendants for treatment on the merits
in accordance with articles 98 e.s. of the ACL:
- With regard to defendant 1: pursuant to Article 58.2.a) of the GDPR and
article 95, § 1, 4° of the LCA, to warn the defendant 1 for the future that the
consultation of personal data in the National Register for the purposes
private constitutes a violation of Article 5, paragraph 1, a) and Article 6,
paragraph 1 of the GDPR;
- With regard to defendant 2: to dismiss, pursuant to article 95,
§1, 3° of the LCA.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court
d'appel de Bruxelles), with the Data Protection Authority as defendant. Decision 16//2023 – 9/9
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 20
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
(Sr.) Hielke H IJMANS
President of the Litigation Chamber
19The application contains on pain of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
Business Number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary statement of the means of the request;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
20
The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
