APD/GBA (Belgium) - 16/2023

From GDPRhub
Revision as of 14:40, 14 March 2023 by SR (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 16/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Article 24(1) GDPR
Article 29 GDPR
Article 32 GDPR
Act of 8 August 1983 regulating a National Register of Natural Persons
Type: Complaint
Outcome: Partly Upheld
Started: 27.02.2023
Decided:
Published: 28.02.2023
Fine: n/a
Parties: Centre public d'action sociale
National Case Number/Name: 16/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Décision 16/2023 (in FR)
Initial Contributor: Matthias Smet

An employee of the public social service acts as controller when consulting the national register of a data subject for personal purposes. This processing does not rely on a legal basis and therefore breaches Article 5(1)(a) and 6 GDPR.

English Summary

Facts

A data subject noticed that her personal data was consulted on 4 September 2019 by an intermediate of the Crossroads Bank for Social Security (BCSS). Consequently, she exercised her right of access towards the BCSS, which resulted in discovering that an employee (defendant 1) of the public social service center (CPAS) (defendant 2) had consulted her data. Based on this information the data subject filed a complaint stating that both defendants had breached Article 5(1) and articles 5 and 13 of the Act of 8 August 1983 regulating a National Register of Natural Persons which exhaustively list the purposes for which the register may be consulted.

Holding

Since the complaint was directed against two defendants, the litigation chamber determined who was the data controller within the framework of this processing activity. The DPA stated that CPAS remained the data controller for the consultations carried out by its employees. However, this qualification as 'data controller' is limited to the consultations that are carried out within the framework of the of CPAS's mission, i.e. pursuing the purposes set out in Article 5 of the Act of 8 August 1983 regulating a National Register of Natural Persons. In case of consultations and searches outside the framework of its duties as a social agent and searches for private purpose, the CPAS's employee (in this case Defendant 1), was acting as controller.

Towards the employee of CPAS (defendant 1):

The DPA stated that the employee consulted that national register without any legal basis. In doing so, the she was guilty of a breach of Article 6 GDPR combined with a breach of Article 5(1)(a) under which the processing of personal data must in particular be lawful. The DPA warned for the future that the consultation of personal data from the National Register via the BCSS for private purposes constitutes an unlawful processing of personal data.

Towards CPAS:

The DPA considered that CPAS had taken appropriate and sufficient measures in order to prevent and detect abusive use of the national registers. It therefore dismissed the complaint against CPAS.

Comment

  • The wording of the complaint and the documents that were handed over imply that the complainant is the ex-wife of defendant 1's father.
  • Besides the administrative procedure before the litigation chamber, article 13 of the Act of 8 August 1983 regulating a National Register of Natural Persons foresees legal sanctions as fines and imprisonment under Belgian criminal law.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/9





                                                                           Litigation Chamber


                                                          Decision 16/2023 of February 27, 2023





File number: DOS-2021-06717


Subject: Consultation for private purposes of the National Register by an agent of the Center

provincial social action




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter

“ACL”;

Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The plaintiff: Ms. X, hereinafter “the plaintiff”; .

                                                                                                           .
                                                                                                           .
The defendant: Mrs. Y1, hereinafter: “the defendant 1”;


                     Center public d’action sociale de […] Y2, hereinafter: “the defendant 2”. Decision 16//2023 – 2/9


I. Facts and procedure


 1. The subject of the complaint concerns the consultation on September 4, 2019 of personal data

       staff of the National Register by the defendant 1.


 2. The wording of the complaint and the documents in the file indicate that the complainant is the ex-partner

       Defendant 1's father. Defendant 1 works as a social worker with

       of Defendant 2. Plaintiff submits that Defendant 1 is guilty of

       breaches of Article 5.1.a of the GDPR, in combination with Articles 5 and 13 of the law of

       August 8, 1983 organizing a National Register of natural persons to have consulted the

       National Registry for improper purposes, through his functions with the defendant 2. In

       consulting the history of consultations of her data in the National Register, the complainant

       discovered that a consultation of his data had been carried out on September 4, 2019 by

       through the Crossroads Bank for Social Security (BCSS). The complainant exercised

       his right of access to the BCSS, which revealed to him that the consultation had been carried out by

       2. After having exercised its right of access to the latter, the

       Defendant 2 then told him that this consultation was done by Defendant 1 to

       private purposes.


 3. On 11 October 2021, the complainant lodged a complaint with the Authority for the Protection of

       given against the defendant 1.


 4. On October 19, 2021, the complaint was declared admissible by the Front Line Service on the
                                               1
       basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber
                                   st 2
       pursuant to Article 62, § 1 of the LCA.


 5. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order

       inside the DPA, a copy of the file may be requested by the parties. If one of

       parties wishes to make use of the possibility of consulting the file, the latter is required to

       contact the secretariat of the Litigation Chamber, preferably via the address

       litigationchamber@apd-gba.be.



II. Motivation


    II.1. Identification of data controllers and their processing


 6. As already recalled by the Litigation Chamber in its decision 129/2021, 3

       in accordance with Article 4 §1 LCA, the DPA is responsible for monitoring the principles of



1 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been
declared admissible.
2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following
of this complaint, the file was forwarded to him.
3
     Litigation Chamber, decision 129/2021 of November 26, 2021 (available on
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-129-2021.pdf) Decision 16//2023 – 3/9



       data protection contained in the GDPR and other laws containing provisions

       relating to the protection of personal data including the Law of 8 August 1983

       organizing a National Register of natural persons and the Law of January 15, 1990

       organization of the Crossroads Bank for Social Security (BCSS) . 4


 7. In accordance with article 4 §7 LCA, it is necessary to consider as responsible for the

       processing: “the natural or legal person, public authority, service or other

       body which, alone or jointly with others, determines the aims and means of

       treatment ".

 8. In this case, the Litigation Division finds that Defendant 2 determines the

       purposes and means of processing. Indeed, for the CPAS, consultations of the Register

       national via the BCSS are carried out only within the framework of its application missions

       of social security. It is also defendant 2 who makes available to its

       agents the means to carry out such processing (via its computer systems). THE

       CPAS must therefore be considered as a data controller for consultations

       BCSS personal data.


 9. It should also be noted that, as stated by the Court of Justice of the European Union

       (CJEU) in its Wirtschaftakademie judgment of June 5, 2018, “the notion of

       “controller” refers to the organization which, “alone or jointly with others”

       determines the purposes and means of the processing of personal data, this

       concept does not necessarily refer to a single organization and may relate to several

       actors […]”. Although defendant 2 is the controller of the

       consultation of the BCSS by its employees, this does not therefore mean, in this case,

       that she alone corresponds to this quality. It is necessary to distinguish between consultations

       of the BCSS within the framework of the purposes of the missions of the defendant 2 of the consultations

       abuses carried out for private purposes by the defendant 1. Although having used the means

       made available by Defendant 2, and to the extent that Defendant 1 dealt with the

       personal data of the BCSS for its own purposes, that is to say outside

       within the scope of its duties as agent for Respondent 2, Respondent 1 must be

       considered as a data controller for BCSS consultations,

       specifically for those made for private purposes .7


 10. The Litigation Division therefore distinguishes the processing carried out within the framework of

       consultations of the National Register as provided for by the purposes of the defendant 2,



4
 Draft law creating the Data Protection Authority, explanatory memorandum, Doc., Ch., 2016-2017, n°2648/001,
5. 13.
6Art. 4 §4 1° of the organic law of 15 January 1990 on the Crossroads Bank for Social Security, hereinafter BCSS law.
  CJEU (gde ch.), judgment of June 5, 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v.
Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16, § 29.
7 European Data Protection Board (EDPB), Guidelines 07/2020 concerning the concepts of responsible
of processing and processing in the GDPR, version 2.0, p. 33, § 88. Decision 16//2023 – 4/9



       consultations for private purposes carried out by the defendant 1. Although the latter

       either responsible for processing for abusive consultations, defendant 2 remains

       data controller for consultations of the National Register in the context of
                                                                                 8 9
       purposes determined by him (application of social security). In this context, the

       defendant 2 remains subject to the principle of responsibility (art. 5.2 and 24 of the GDPR) and, in

       as data controller and employer, in Articles 29 and 32 of the GDPR. For these
       reasons, although not directly covered by the complaint filed with the DPA, the

       Litigation Chamber will state additional findings in this regard.



    II.2. As to the breaches of the GDPR alleged by the defendant 1


 11. Access to the data contained in the National Register constitutes processing of

       personal data within the meaning of Article 4.2 of the GDPR. Under this

       qualification, this processing is subject to the various prescriptions and obligations of the GDPR and

       in particular to the principles of legality, fairness and transparency provided for in Article 5.1.a of the

       GDPR.


 12. The principle of lawfulness indicates that any processing of personal data must

       have one of the bases of lawfulness in article 6.1 of the GDPR.

 13. It appears from the documents in the file, including the assertions of Respondent 2, that in

       consulting on September 4, 2019 the data "legal address" of the complainant, the

       defendant 1 did not proceed to a consultation in the context of the performance of a

       task which falls within his competence as a CPAS agent.


 14. By virtue of their function, and for the sole performance of the tasks relating to it, the agents

       CPAS have access to certain data from the National Register via the BCSS . He 10

       it is their responsibility to scrupulously respect the purposes of this access which they prefer.


 15. By failing to respect the purpose of the access granted to it, Respondent 1
       consulted the National Register without an adequate legal basis. Therefore, she proceeded to a

       data processing in respect of which it will not be able to validly invoke

       one of the bases of lawfulness required by Article 6 of the GDPR. In doing so, the defendant

       found guilty of a breach of Article 6 of the GDPR. This failure is combined with a

       breach of Article 5.1.a of the GDPR according to which the processing of data to

       personal character must in particular be lawful. This requirement, while not limited to

       compliance with Article 6, undoubtedly encompasses it.





8
9Art. 2.2.f) of the BCSS Law.
 European Data Protection Board (EDPB), Guidelines 07/2020 concerning the concepts of responsible
of processing and processing in the GDPR, version 2.0, p. 33, § 88, footnote 34.
10Art. 3 in combination with art. 2.2.f of the BCSS Law. Decision 16//2023 – 5/9


 16. The Litigation Chamber considers that, on the basis of the facts mentioned above, it would appear that

       Defendant 1 may have committed a violation of Articles 5.1.a and 6.1 of the GDPR, which

       justifies, in this case, taking a decision in accordance with Article 95, §

       1, 4° of the LCA, more specifically to warn defendant 1 for the future that the

       consultation of personal data from the National Register via the BCSS for the purposes

       personal data constitutes an unlawful processing of personal data, and therefore a

       violation of articles 5.1.a and 6.1 of the GDPR.


 17. This decision is a prima facie decision taken by the Litigation Chamber

       pursuant to Article 95 of the LCA on the basis of the complaint lodged by the complainant/the

       complainant, in the context of the "procedure prior to the substantive decision" and not a

       decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA.


 18. The purpose of this decision is to inform defendant 1, allegedly responsible for the

       processing, because it may have violated the provisions of the GDPR,

       in order to enable it to still comply with the aforementioned provisions.

 19. If, however, Respondent 1 disagrees with the content of this decision

       prima facie and believes that it can make factual and/or legal arguments that

       could lead to another decision, it may send the Litigation Chamber a


       request for treatment on the merits of the case via the e-mail address litigationchamber@apd-

       gba.be, within 30 days of notification of this decision. The case

       applicable, the execution of this decision is suspended for the period

       aforementioned.

 20. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°

       juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their

       conclusions and attach to the file all the documents they deem useful. If applicable, the

       this decision is permanently suspended.


 21. With a view to transparency, the Litigation Division finally emphasizes that a

       dealing with the case on the merits may lead to the imposition of the measures mentioned in

       section 100 of the ACL .2




1Section 3, Subsection 2 of the ACL (articles 94 to 97 inclusive).

12Art. 100. § 1. The litigation chamber has the power to
 1° dismiss the complaint without follow-up;
 2° order the dismissal;
 3° pronouncing the suspension of the pronouncement;
 4° to propose a transaction;
 5° issue warnings and reprimands;
 6° order to comply with requests from the data subject to exercise his or her rights;

 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or permanent prohibition of processing;
 9° order compliance of the processing;
 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the
     data ; Decision 16//2023 – 6/9



    II.3. As to the alleged breach of the GDPR by the defendant 2


 22. As data controller, defendant 2 is required to implement

       the data protection principles and must be able to demonstrate that these
                                                                      13
       are respected, in accordance with the principle of accountability. Moreover, it must always

       in its capacity as data controller, implement all measures
                               14
       necessary for this purpose.

 23. On the basis of Article 5.1.f of the GDPR, personal data must be processed

       so as to ensure appropriate security, "including protection against the processing

       unauthorized or unlawful and against accidental loss, destruction or damage,

       using appropriate technical or organizational measures”.


 24. In the absence of appropriate measures to secure the personal data of the

       data subjects, the effectiveness of the fundamental rights to privacy and protection

       personal data cannot be guaranteed, especially given the crucial role played

       by information and communication technologies in our society.

 25. It should be noted that the security principle set out in Article 5.1.f is now established

       in the GDPR at the same level as the fundamental principles of lawfulness, transparency,

       loyalty.


 26. The obligations of data controllers with regard to the security of processing are based

       on articles 32 et seq. of the GDPR.

 27. It appears from the documents in the file that defendant 2 is able to identify the agent

       having consulted the personal data of the National Register of the complainant, thus

       than the date of consultation. The defendant was not, however, capable of knowing the

       purpose of the consultation as well as the data consulted without further consultation

       of said data. According to defendant 2, access to the software allowing the

       consultation of the National Register would be limited to the use of social workers and the

       executive management. Following the event giving rise to the complaint, respondent 2 indicated

       make arrangements vis-à-vis the agent concerned and put in place a control

       quarterly of consultations of personal data carried out under its responsibility.


 28. On the basis of the facts described in the complaint file as summarized above, and on the

       powers attributed to it by the legislator under Article 95, § 1 of the

       LCA, the Litigation Chamber decides on the follow-up to be given to the file; in this case, the


 11° order the withdrawal of accreditation from certification bodies;
 12° to issue periodic penalty payments;
 13° to issue administrative fines;
 14° order the suspension of cross-border data flows to another State or an international body;
 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
13Article 5.2 GDPR.
14Article 24 GDPR. Decision 16//2023 – 7/9


       Litigation Chamber decides to proceed with the dismissal of the complaint,

       in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below.


 29. In terms of dismissal, the Litigation Chamber is required to justify its
                          15
       step-by-step decision and:

            - to pronounce a classification without technical continuation if the file does not contain or not

                sufficient element likely to lead to a sanction or if it includes a

                technical obstacle preventing him from rendering a decision;


            - or pronounce a classification without further opportunity, if, despite the presence

                elements likely to lead to a sanction, the continuation of the examination of the

                file does not seem to him to be appropriate given the priorities of the Autorité de

                data protection as specified and illustrated in the Privacy Policy
                                                                    16
                dismissal of the Litigation Chamber.

 30. In the event of dismissal based on several reasons for dismissal, these

       last (respectively, classification without technical continuation and classification without continuation

       timeliness) should be addressed in order of importance .7


 31. In this case, the Litigation Chamber decides to proceed with a classification without follow-up

       the complaint for technical reasons for the breaches alleged to the defendant 2. The

       decision of the Litigation Division is based more specifically on the fact that the complaint is not

       not sufficiently supported by evidence of the existence of a violation of the GDPR or the laws

       protection of personal data. Indeed, it appears from the documents in the file that few

       information relating to the security measures put in place by the defendant 2

       been communicated to the Litigation Chamber. On the basis of this information, the Chamber

       Litigation is not in a position to determine whether defendant 2 breached its

       obligations of data controller.






III. Publication of the decision


 32. Given the importance of transparency regarding the decision-making process of the Chamber

       Litigation, this decision is published on the website of the Protection Authority







15Cour des marchés (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18.
16
  In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on
the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-
classification-without-continuation-of-the-litigation-chamber.pdf.
17Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the
dismissal policy of the Litigation Chamber.

18Cf. Reason A.1 of the dismissal policy of the Litigation Chamber. Decision 16//2023 – 8/9


       Datas. However, it is not necessary for this purpose that the identification data

       of the parties are communicated directly.










    FOR THESE REASONS,


    The Litigation Chamber of the Data Protection Authority decides, subject to

    the introduction of a request by one of the defendants for treatment on the merits
    in accordance with articles 98 e.s. of the ACL:


      - With regard to defendant 1: pursuant to Article 58.2.a) of the GDPR and

          article 95, § 1, 4° of the LCA, to warn the defendant 1 for the future that the

          consultation of personal data in the National Register for the purposes

          private constitutes a violation of Article 5, paragraph 1, a) and Article 6,

          paragraph 1 of the GDPR;
      - With regard to defendant 2: to dismiss, pursuant to article 95,

          §1, 3° of the LCA.






In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority as defendant. Decision 16//2023 – 9/9



Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be

filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 20


via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).









    (Sr.) Hielke H IJMANS


    President of the Litigation Chamber




















































19The application contains on pain of nullity:

  (1) indication of the day, month and year;
  2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
     Business Number;

  3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
  (4) the object and summary statement of the means of the request;
  (5) the indication of the judge who is seized of the application;
  6° the signature of the applicant or his lawyer.
20
  The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.