APD/GBA (Belgium) - 45/2023
From GDPRhub
| APD/GBA - 45/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 9(2)(a) GDPR Article 20(3) GDPR Article 254 KB 3 juli 1996 |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 27.04.2023 |
| Decided: | 27.04.2023 |
| Published: | 03.05.2023 |
| Fine: | n/a |
| Parties: | X la mutualité Y |
| National Case Number/Name: | 45/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | 45/2023 (in FR) |
| Initial Contributor: | Matthias Smet |
The complainant submits a complaint to the DPA after having repeatedly unsuccessfully addressed the controller to exercise his right to data portability in the context of switching to a new health insurance fund. The DPA rejects the complaints since the conditions in order to exercise the right to data portability were not met.
English Summary
Facts
The complainant wishes to change mutuality and asks the controller to transfer his data to the new mutuality. After several times unsuccessfully addressing the controller about this, he submits a complaint to the DPA in order to enforce a response from the controller to his request to send over the data to the new mutuality within the framework of the exercise of the right to data portability
Holding
3 cumulative conditions:
The exercise of the right to data portability is subject to three conditions that must be fulfilled cumulatively. 1. The data processing must be based on the consent of the data subject (Article 6(1)(a) GDPR and Article 9(2)(a) GDPR) or must be part of the performance of a contract (Article 6( 1)(b) GDPR)
2. According to the guidelines of working group 29 on data portability, the processed personal data must be obtained directly from the data subject. Derived or indirectly obtained data fall outside the scope of the right to data portability.
3. the processing is carried out using automated processes.
Conclusion of the DPA:
the DPA notes that the data processing carried out by the mutual insurance company is part of a legal obligation that rests on the controller, namely Article 254 of the Royal Decree 3 July 1996, which states that "every insurance institution must keep a file in the name of each beneficiary with at least the data specified in this provision". In other words, the processing is an extension of a legal obligation, rather than the performance of a contract and thus explicitly excluded from the right to data portability (Article 20(3) GDPR). It is found that the first of the cumulative conditions has not been met.
In addition, it has also been established that the file of the data subject also contains, among other things, information relating to the insurability of the data subject that has been derived on the basis of the data provided by the data subject. The second condition is therefore also not fulfilled in this case, since these data are only derived data (see guidelines previous WP29).
For the above reasons, the DPA concludes that the complainant cannot rely on the controller to make the transfer of his file to the new mutual insurance company and therefore dismisses the complaint.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/6
Litigation Chamber
Decision 45/2023 of April 27, 2023
File number: DOS-2023-00609
Subject: Complaint relating to the alleged absence following the exercise of the right to data portability
The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke
Hijmans, President, sitting alone;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the
data protection), hereinafter GDPR;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);
Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to
processing of personal data (hereinafter LTD);
Having regard to the Rules of Procedure as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The plaintiff: X, hereinafter “the plaintiff”;
The defendant: Y Assurances, hereinafter: “the defendant”. Decision 45/2023 - 2/6
I. Facts and procedure
1. The complaint concerns the lack of response to the exercise of the right to portability relating to the
personal data relating to an affiliation file with the Y mutual fund.
The plaintiff was affiliated with mutual health insurance Y, the defendant. The complainant subsequently
changed health insurance and requested the transfer of his file to the defendant on January 1
2023. The transfer of his file would not have taken place, which would prevent the complainant from
receive compensation. On February 3, 2023, the plaintiff exercised his right to portability
with the defendant, ordering it to transfer its file to its new health insurance fund.
This request would have gone unanswered.
2. On March 6, 2023, the complainant filed a complaint with the Data Protection Authority.
3. On March 9, 2023, the Front Line Service of the Data Protection Authority
declares the complaint admissible on the basis of articles 58 and 60 of the LCA, and transmits it
to the Litigation Division in accordance with Article 62, § 1 of the LCA.
II. Motivation
4. Based on the facts described in the complaint file as summarized above, and on the
basis of the powers attributed to it by the legislator under Article 95, § 1
of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; as it happens,
the Litigation Chamber decides to proceed with the dismissal of the complaint,
in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below.
5. In matters of dismissal, the Litigation Chamber is required to justify its
step-by-step decision and:
- to pronounce a classification without technical continuation if the file does not contain or not
sufficient elements likely to lead to a sanction or if it includes a
technical obstacle preventing him from rendering a decision;
- or pronounce a classification without further opportunity, if despite the presence
elements likely to lead to a sanction, the continuation of the examination of the
file does not seem to him to be appropriate given the priorities of the Autorité de
data protection as specified and illustrated in the Privacy Policy
dismissal of the Litigation Chamber. 2
1
Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18.
2In this respect, the Litigation Chamber refers to its policy of dismissal as developed and published on
the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-
classification-without-continuation-of-the-litigation-chamber.pdf. Decision 45/2023 - 3/6
6. In the event of dismissal based on several reasons for dismissal, these
last (respectively, classification without technical continuation and classification without continuation
3
opportunity) should be addressed in order of importance .
7. In this case, the Litigation Chamber decides to proceed with a classification without follow-up
the complaint on technical grounds. The decision of the Litigation Chamber is based more
specifically on the fact that the GDPR and other personal data protection laws
are not applicable to the complainant's grievances. The Litigation Chamber decides in
consequence of not carrying out, inter alia, an examination of the case on the merits.
8. The right to portability allows a data subject to receive or have transferred
their personal data from one controller to another. order 4
to apply the right to portability of Article 20 of the GDPR to the present case, the Chambre
Litigation must verify whether the following three cumulative conditions are met: 5
- Firstly: the data processing must be based on the consent of the
data subject (Article 6.1.a or 9.2.a of the GDPR) or necessary for the execution of a
contract (article 6.1.b of the GDPR);
- Second: the personal data processed must have been provided
by the data subject. The right to portability does not include data derived or
deduced by the controller from the information provided by the
6
concerned person ;
- Third: the processing is carried out using automated processes.
9. With regard to the first condition, the defendant, as an insurer,
guarantees the execution of the compulsory health care and indemnity insurance, of which the
is governed by the coordinated law of 14 July 1994 relating to compulsory health care insurance
7 8
health and allowances . It therefore executes one of the branches of social security.
10. In order to benefit from compulsory health care and indemnity insurance, membership of one of the
9
insurers is mandatory. Social security beneficiaries can
choose the insurer, but this affiliation remains one of the conditions for granting
social security services mentioned.
3
See Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the
dismissal policy of the Litigation Chamber.
4Article 20.2 of the GDPR.
5O.TAMBOU, Manual of European law on the protection of personal data, Brussels, Larcier, 2020, p.203-
205.
6Article 29 Working Party, Guidelines on the right to data portability, page 12.
7
Article 3 of the law of August 6, 1990 relating to mutual societies and national unions of mutual societies, M.B. of September 28, 1990.
As a result, a mutuality which performs one of the branches of social security must be distinguished from a company
private insurance whose legal regime is established by the law of 4 April 2014 relating to insurance.
8 See in particular Articles 3 and 21.1° of the law of 29 June 1981 establishing the general principles of social security
salaried workers, M.B. of July 2, 1981.
9Article 118, paragraph 1 of the coordinated law of 14 July 1994 on compulsory health care and compensation insurance,
M.B. of August 27, 1994. Decision 45/2023 - 4/6
10 11
11. Both the financing of benefits, the beneficiaries, the conditions for granting
12
benefits and interventions of compulsory health care insurance and allowances
are determined by legal provisions. The mutuality also has the obligation to keep
a file for each beneficiary, file whose content and personal data
personnel to be treated are determined by article 254 of the royal decree of July 3, 1996
implementation of the coordinated law of 14 July 1994 relating to compulsory health care insurance
13
health and allowances (hereinafter “the Royal Decree of 3 July 1996”). The change of
mutuality is also regulated by the royal decree of July 3, 1996: mutuals must
respect a certain procedure established by the Royal Decree of 3 July 1996 so that the
change of mutuality is effective, which implies the transfer of the affiliate's file. 14
12. Since the mutuals are obliged to provide the benefits of the compulsory insurance
health care and allowances, the Litigation Chamber judges that these treatments of
personal data is necessary for compliance with a legal obligation within the meaning
of article 6.1.c of the GDPR. The Litigation Chamber notes that the nature and the object
processing of the data of a beneficiary of compulsory insurance is explicitly
mentioned in the legal provisions mentioned above.
13. Insurers may also offer complementary services
15
insurance, the content of which is of their choice. These additional services are
offered to affiliates in the form of insurance contracts.
14. Based on the elements mentioned above, the Litigation Division finds that the
data processing carried out by the defendant for the management of the plaintiff's file
is justified, within the framework of the compulsory health care and indemnity insurance, on the basis of
a legal obligation within the meaning of Article 6.1.c of the GDPR and, in the context of insurance
supplementary, on the basis of an insurance contract within the meaning of article 6.1.b of the GDPR.
10Article 191 of the coordinated law of July 14, 1994 on compulsory health care and compensation insurance.
11Article 32 of the coordinated law of 14 July 1994 on compulsory health care and compensation insurance.
12See Chapter I of Title VI “Conditions for granting benefits” of the coordinated law of 14 July 1994 relating to
13Compulsory health care insurance and allowances.
Article 254: "The insurer establishes, in the name of each holder, a file containing the application for registration, as well as
a sheet that reproduces the following data:
1. the date and the registration number of the holder, his identity as well as that of the dependents and their address as well as
their identification number in the National Register;
2. any change in the number and quality of dependents;
3. the nature of the contribution documents, the type of data transmission and the data contained therein relating to
insurability;
4. the amount and nature of the personal contributions and additional contributions, the date of their payment and the
period to which they relate;
5. a statement of the penalties imposed on the holder and his dependents.
This file also contains all the documents relating to the status of beneficiary of the holder and the dependents.
The file is kept at the level of the health insurance fund or the regional office.
All medical information relating to the holder and his dependents is kept by the doctor-
advice in a special case. »
14Articles 255 and 257 to 274 of the Royal Decree of 3 July 1996.
15Article 3, paragraph §1, b) and c) of the coordinated law of 14 July 1994 on compulsory health care insurance and
allowances read in conjunction with Article 67 of the law of April 26, 2010 on the provisions regarding the organization of
supplementary health insurance, M.B. of 28 May 2010. Decision 45/2023 - 5/6
15. However, Article 20 paragraph 3 explicitly excludes the right to data portability for
data processed necessary for compliance with a legal obligation. There is therefore no right
general to portability when data processing operations do not merge
on consent or on a contract.
16. Consequently, the Litigation Chamber concludes that the right to portability cannot be
invoked by the plaintiff to demand the transfer of his file to his new health insurance fund, because
the processing of the data necessary for the management of the complainant's file finds its basis
of lawfulness in a legal obligation. The first condition for applying the right to
portability is then not respected.
17. Furthermore, the Litigation Division notes that the second condition for invoking the right
portability is not met either. Indeed, the data included in the file of the
complainant include, among other things, data related to the insurability of the complainant. Gold
insurability – which concerns the determination of entitlement to insurance benefits
mandatory healthcare and disability - is assessed by the health insurance fund using information
provided by the beneficiary. These are therefore personal data deduced
data provided by the complainant.
III. Publication and communication of the decision
18. Given the importance of transparency with regard to the process
decision-making and the decisions of the Litigation Chamber, this decision will be published on the
website of the Data Protection Authority. However, it is not necessary for this
so that the identification data of the parties are directly communicated.
19. In accordance with its policy of dismissal, the Litigation Chamber
communicate the decision to the defendant. Indeed, the Litigation Chamber decided
to communicate the decisions of classification without follow-up to the defendants by default. There
However, the Litigation Chamber refrains from such communication when the complainant
requested anonymity vis-à-vis the defendant and when the communication of the
decision to the defendant, even pseudonymised, nevertheless risks allowing its re-
identification . This is not the case in the present case.
16Cf. Title 5 – Will the ranking without follow-up be published? Will the opposing party be informed? of the policy of
dismissal of the Litigation Chamber.
17Ibid. Decision 45/2023 - 6/6
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation,
to close this complaint without further action pursuant to Article 95, § 1, 3° of the LCA.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court
d'appel de Bruxelles), with the Data Protection Authority as defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 19
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
To allow him to consider any other possible course of action, the Litigation Chamber sends
the complainant to the explanations provided in its dismissal policy. 20
The Litigation Chamber underlines that the classifications without action taken are likely
to be taken into account by the Data Protection Authority in order to set its future priorities
and/or could inspire future investigations of the Inspection Authority's own initiative.
Data protection.
(se). Hielke HIJMANS
President of the Litigation Chamber
18The motion contains on pain of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
Business Number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary statement of the means of the request;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
19The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
20cf. Title 4 – What can I do if my complaint is dismissed? of the Chamber's policy of classification without follow-up
Litigation.
