APD/GBA (Belgium) - 16/2023
APD/GBA - 16/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(2) GDPR Article 6(1) GDPR Article 24(1) GDPR Article 29 GDPR Article 32 GDPR Act of 8 August 1983 regulating a National Register of Natural Persons |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 27.02.2023 |
Decided: | |
Published: | 28.02.2023 |
Fine: | n/a |
Parties: | Centre public d'action sociale |
National Case Number/Name: | 16/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Décision 16/2023 (in FR) |
Initial Contributor: | Matthias Smet |
The Belgian DPA issued a warning to a natural person, who had consulted the complainant's legal address in the national register of natural persons by abusing her access as social assistant. The complaint against the employer was dismissed since no infringement to GDPR or other data protection laws had been discovered on her part.
English Summary
Facts
Complainant noticed that her personal data was consulted on 4 September 2019 by an intermediate of the Crossroads Bank for Social Security (CBSS). Consequently, she exercised her right of access towards the BCSS, which resulted in discovering that an employee (defendant 1) of the public social service center (CPAS) had consulted her data.
Based on this information a complaint has been filed stating both defendants has breached Article 5(1) and articles 5 and 13 of the Act of 8 August 1983 regulating a National Register of Natural Persons which exhaustively list the purposes for which the register may be consulted.
Since the complaint is directed against two defendants, the litigation chamber wants to determine who is the data controller within the framework of this processing activity. The DPA stated that CPAS remains the data controller for the consultations carried out by her employees. However, this qualification as 'data controller' is limited to the consultations that are carried out within the framework of the of CPAS's mission, i.e. pursuing the purposes set out in Article 5 of the Act of 8 August 1983 regulating a National Register of Natural Persons. In case of consultations and searches outside the framework of her duties as a social agent and searches for private purpose/use , the CPAS employee (in this case Defendant 1), acts as controller.
Holding
Towards the employee of CPAS (Defendant 1):
The DPA states that defendant 1 has consulted that national register without any legal basis. In doing so, the she was guilty of a breach of Article 6 GDPR. This breach, combined with a breach of Article 5(1)(a) under which the processing of personal data must in particular be lawful prompted the DPA to warn defendant 1 for the future that the consultation of personal data from the National Register via the BCSS for private purposes personal data constitutes an unlawful processing of personal data.
Towards CPAS: The documents that was handed over prove that CPAS had taken appropriate and sufficient measures in order to prevent and detect abusive use of the national registers. The necessary technical logging procedure provides the organisation with information regadering who has consulted personal data in the national register and when (by using a time stamp). As a reactive measure CPAS will also conduct quarterly check the consultations carried out by Defendant 1. Taking this into account, the litigation chamber has dismissed the complaint against CPAS, since no infringement to GDPR or other data protection laws had been discovered on her part.
Comment
- The wording of the complaint and the documents that were handed over imply that the complainant is the ex-wife of defendant 1's father.
- Besides the administrative procedure before the litigation chamber, article 13 of the Act of 8 August 1983 regulating a National Register of Natural Persons foresees legal sanctions as fines and imprisonment under Belgian criminal law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision 16/2023 of February 27, 2023 File number: DOS-2021-06717 Subject: Consultation for private purposes of the National Register by an agent of the Center provincial social action The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter “ACL”; Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: Ms. X, hereinafter “the plaintiff”; . . . The defendant: Mrs. Y1, hereinafter: “the defendant 1”; Center public d’action sociale de […] Y2, hereinafter: “the defendant 2”. Decision 16//2023 – 2/9 I. Facts and procedure 1. The subject of the complaint concerns the consultation on September 4, 2019 of personal data staff of the National Register by the defendant 1. 2. The wording of the complaint and the documents in the file indicate that the complainant is the ex-partner Defendant 1's father. Defendant 1 works as a social worker with of Defendant 2. Plaintiff submits that Defendant 1 is guilty of breaches of Article 5.1.a of the GDPR, in combination with Articles 5 and 13 of the law of August 8, 1983 organizing a National Register of natural persons to have consulted the National Registry for improper purposes, through his functions with the defendant 2. In consulting the history of consultations of her data in the National Register, the complainant discovered that a consultation of his data had been carried out on September 4, 2019 by through the Crossroads Bank for Social Security (BCSS). The complainant exercised his right of access to the BCSS, which revealed to him that the consultation had been carried out by 2. After having exercised its right of access to the latter, the Defendant 2 then told him that this consultation was done by Defendant 1 to private purposes. 3. On 11 October 2021, the complainant lodged a complaint with the Authority for the Protection of given against the defendant 1. 4. On October 19, 2021, the complaint was declared admissible by the Front Line Service on the 1 basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber st 2 pursuant to Article 62, § 1 of the LCA. 5. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order inside the DPA, a copy of the file may be requested by the parties. If one of parties wishes to make use of the possibility of consulting the file, the latter is required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. II. Motivation II.1. Identification of data controllers and their processing 6. As already recalled by the Litigation Chamber in its decision 129/2021, 3 in accordance with Article 4 §1 LCA, the DPA is responsible for monitoring the principles of 1 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been declared admissible. 2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following of this complaint, the file was forwarded to him. 3 Litigation Chamber, decision 129/2021 of November 26, 2021 (available on https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-129-2021.pdf) Decision 16//2023 – 3/9 data protection contained in the GDPR and other laws containing provisions relating to the protection of personal data including the Law of 8 August 1983 organizing a National Register of natural persons and the Law of January 15, 1990 organization of the Crossroads Bank for Social Security (BCSS) . 4 7. In accordance with article 4 §7 LCA, it is necessary to consider as responsible for the processing: “the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the aims and means of treatment ". 8. In this case, the Litigation Division finds that Defendant 2 determines the purposes and means of processing. Indeed, for the CPAS, consultations of the Register national via the BCSS are carried out only within the framework of its application missions of social security. It is also defendant 2 who makes available to its agents the means to carry out such processing (via its computer systems). THE CPAS must therefore be considered as a data controller for consultations BCSS personal data. 9. It should also be noted that, as stated by the Court of Justice of the European Union (CJEU) in its Wirtschaftakademie judgment of June 5, 2018, “the notion of “controller” refers to the organization which, “alone or jointly with others” determines the purposes and means of the processing of personal data, this concept does not necessarily refer to a single organization and may relate to several actors […]”. Although defendant 2 is the controller of the consultation of the BCSS by its employees, this does not therefore mean, in this case, that she alone corresponds to this quality. It is necessary to distinguish between consultations of the BCSS within the framework of the purposes of the missions of the defendant 2 of the consultations abuses carried out for private purposes by the defendant 1. Although having used the means made available by Defendant 2, and to the extent that Defendant 1 dealt with the personal data of the BCSS for its own purposes, that is to say outside within the scope of its duties as agent for Respondent 2, Respondent 1 must be considered as a data controller for BCSS consultations, specifically for those made for private purposes .7 10. The Litigation Division therefore distinguishes the processing carried out within the framework of consultations of the National Register as provided for by the purposes of the defendant 2, 4 Draft law creating the Data Protection Authority, explanatory memorandum, Doc., Ch., 2016-2017, n°2648/001, 5. 13. 6Art. 4 §4 1° of the organic law of 15 January 1990 on the Crossroads Bank for Social Security, hereinafter BCSS law. CJEU (gde ch.), judgment of June 5, 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16, § 29. 7 European Data Protection Board (EDPB), Guidelines 07/2020 concerning the concepts of responsible of processing and processing in the GDPR, version 2.0, p. 33, § 88. Decision 16//2023 – 4/9 consultations for private purposes carried out by the defendant 1. Although the latter either responsible for processing for abusive consultations, defendant 2 remains data controller for consultations of the National Register in the context of 8 9 purposes determined by him (application of social security). In this context, the defendant 2 remains subject to the principle of responsibility (art. 5.2 and 24 of the GDPR) and, in as data controller and employer, in Articles 29 and 32 of the GDPR. For these reasons, although not directly covered by the complaint filed with the DPA, the Litigation Chamber will state additional findings in this regard. II.2. As to the breaches of the GDPR alleged by the defendant 1 11. Access to the data contained in the National Register constitutes processing of personal data within the meaning of Article 4.2 of the GDPR. Under this qualification, this processing is subject to the various prescriptions and obligations of the GDPR and in particular to the principles of legality, fairness and transparency provided for in Article 5.1.a of the GDPR. 12. The principle of lawfulness indicates that any processing of personal data must have one of the bases of lawfulness in article 6.1 of the GDPR. 13. It appears from the documents in the file, including the assertions of Respondent 2, that in consulting on September 4, 2019 the data "legal address" of the complainant, the defendant 1 did not proceed to a consultation in the context of the performance of a task which falls within his competence as a CPAS agent. 14. By virtue of their function, and for the sole performance of the tasks relating to it, the agents CPAS have access to certain data from the National Register via the BCSS . He 10 it is their responsibility to scrupulously respect the purposes of this access which they prefer. 15. By failing to respect the purpose of the access granted to it, Respondent 1 consulted the National Register without an adequate legal basis. Therefore, she proceeded to a data processing in respect of which it will not be able to validly invoke one of the bases of lawfulness required by Article 6 of the GDPR. In doing so, the defendant found guilty of a breach of Article 6 of the GDPR. This failure is combined with a breach of Article 5.1.a of the GDPR according to which the processing of data to personal character must in particular be lawful. This requirement, while not limited to compliance with Article 6, undoubtedly encompasses it. 8 9Art. 2.2.f) of the BCSS Law. European Data Protection Board (EDPB), Guidelines 07/2020 concerning the concepts of responsible of processing and processing in the GDPR, version 2.0, p. 33, § 88, footnote 34. 10Art. 3 in combination with art. 2.2.f of the BCSS Law. Decision 16//2023 – 5/9 16. The Litigation Chamber considers that, on the basis of the facts mentioned above, it would appear that Defendant 1 may have committed a violation of Articles 5.1.a and 6.1 of the GDPR, which justifies, in this case, taking a decision in accordance with Article 95, § 1, 4° of the LCA, more specifically to warn defendant 1 for the future that the consultation of personal data from the National Register via the BCSS for the purposes personal data constitutes an unlawful processing of personal data, and therefore a violation of articles 5.1.a and 6.1 of the GDPR. 17. This decision is a prima facie decision taken by the Litigation Chamber pursuant to Article 95 of the LCA on the basis of the complaint lodged by the complainant/the complainant, in the context of the "procedure prior to the substantive decision" and not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA. 18. The purpose of this decision is to inform defendant 1, allegedly responsible for the processing, because it may have violated the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 19. If, however, Respondent 1 disagrees with the content of this decision prima facie and believes that it can make factual and/or legal arguments that could lead to another decision, it may send the Litigation Chamber a request for treatment on the merits of the case via the e-mail address litigationchamber@apd- gba.be, within 30 days of notification of this decision. The case applicable, the execution of this decision is suspended for the period aforementioned. 20. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and attach to the file all the documents they deem useful. If applicable, the this decision is permanently suspended. 21. With a view to transparency, the Litigation Division finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL .2 1Section 3, Subsection 2 of the ACL (articles 94 to 97 inclusive). 12Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data ; Decision 16//2023 – 6/9 II.3. As to the alleged breach of the GDPR by the defendant 2 22. As data controller, defendant 2 is required to implement the data protection principles and must be able to demonstrate that these 13 are respected, in accordance with the principle of accountability. Moreover, it must always in its capacity as data controller, implement all measures 14 necessary for this purpose. 23. On the basis of Article 5.1.f of the GDPR, personal data must be processed so as to ensure appropriate security, "including protection against the processing unauthorized or unlawful and against accidental loss, destruction or damage, using appropriate technical or organizational measures”. 24. In the absence of appropriate measures to secure the personal data of the data subjects, the effectiveness of the fundamental rights to privacy and protection personal data cannot be guaranteed, especially given the crucial role played by information and communication technologies in our society. 25. It should be noted that the security principle set out in Article 5.1.f is now established in the GDPR at the same level as the fundamental principles of lawfulness, transparency, loyalty. 26. The obligations of data controllers with regard to the security of processing are based on articles 32 et seq. of the GDPR. 27. It appears from the documents in the file that defendant 2 is able to identify the agent having consulted the personal data of the National Register of the complainant, thus than the date of consultation. The defendant was not, however, capable of knowing the purpose of the consultation as well as the data consulted without further consultation of said data. According to defendant 2, access to the software allowing the consultation of the National Register would be limited to the use of social workers and the executive management. Following the event giving rise to the complaint, respondent 2 indicated make arrangements vis-à-vis the agent concerned and put in place a control quarterly of consultations of personal data carried out under its responsibility. 28. On the basis of the facts described in the complaint file as summarized above, and on the powers attributed to it by the legislator under Article 95, § 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; in this case, the 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 13Article 5.2 GDPR. 14Article 24 GDPR. Decision 16//2023 – 7/9 Litigation Chamber decides to proceed with the dismissal of the complaint, in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below. 29. In terms of dismissal, the Litigation Chamber is required to justify its 15 step-by-step decision and: - to pronounce a classification without technical continuation if the file does not contain or not sufficient element likely to lead to a sanction or if it includes a technical obstacle preventing him from rendering a decision; - or pronounce a classification without further opportunity, if, despite the presence elements likely to lead to a sanction, the continuation of the examination of the file does not seem to him to be appropriate given the priorities of the Autorité de data protection as specified and illustrated in the Privacy Policy 16 dismissal of the Litigation Chamber. 30. In the event of dismissal based on several reasons for dismissal, these last (respectively, classification without technical continuation and classification without continuation timeliness) should be addressed in order of importance .7 31. In this case, the Litigation Chamber decides to proceed with a classification without follow-up the complaint for technical reasons for the breaches alleged to the defendant 2. The decision of the Litigation Division is based more specifically on the fact that the complaint is not not sufficiently supported by evidence of the existence of a violation of the GDPR or the laws protection of personal data. Indeed, it appears from the documents in the file that few information relating to the security measures put in place by the defendant 2 been communicated to the Litigation Chamber. On the basis of this information, the Chamber Litigation is not in a position to determine whether defendant 2 breached its obligations of data controller. III. Publication of the decision 32. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority 15Cour des marchés (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18. 16 In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de- classification-without-continuation-of-the-litigation-chamber.pdf. 17Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the dismissal policy of the Litigation Chamber. 18Cf. Reason A.1 of the dismissal policy of the Litigation Chamber. Decision 16//2023 – 8/9 Datas. However, it is not necessary for this purpose that the identification data of the parties are communicated directly. FOR THESE REASONS, The Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by one of the defendants for treatment on the merits in accordance with articles 98 e.s. of the ACL: - With regard to defendant 1: pursuant to Article 58.2.a) of the GDPR and article 95, § 1, 4° of the LCA, to warn the defendant 1 for the future that the consultation of personal data in the National Register for the purposes private constitutes a violation of Article 5, paragraph 1, a) and Article 6, paragraph 1 of the GDPR; - With regard to defendant 2: to dismiss, pursuant to article 95, §1, 3° of the LCA. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Decision 16//2023 – 9/9 Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 20 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sr.) Hielke H IJMANS President of the Litigation Chamber 19The application contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 20 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.